Nicholas said that companies lack even a common language to talk about supply chain risks and threats. Some organizations follow a similar tack as the House of Representatives: focusing on where software came from. Others are concerned about control and the integrity of the technology they are receiving. Still others focus on lifecycle management: sourcing, developing and deploying hardware and software in a safe way, he said.
The truth is that organizations must hit on each of those.
"The supply chain challenge is broad and very complex," said Andrew Howard, a Research Scientist at Georgia Tech's Research Institute. "You almost have to work backwards, starting with where you purchase device, to the manufacture of device to the supplier who provided them with materials, to the configuration of device," he said.
Cyber espionage aside, many companies are concerned that hardware devices they buy online are authentic, rather than an inferior knock off. And, even with authentic devices, organizations are concerned about undocumented back doors or security vulnerabilities that could compromise their security. "They want to know 'if I configure this as the manufacturer has specified, are there any vulnerabilities that I can detect?"
That's a good investment of time and energy, says Chris Wysopal, the co-founder and Chief Technology Officer at Veracode. "There is this Spy vs. Spy aspect, where people are looking for back doors in hardware," he said. "That's technically possible, but it's very rare - especially when compared with the prevalence of security vulnerabilities in software and firmware.
In fact, an in-depth security audit of Huawei gear by the German security researcher Felix "FX" Lindner, presented last month at the Hack in the Box security conference in Kuala Lampur, didn't reveal any stealthy back doors for the PLA. But Lindner did find plenty of critical and remotely exploitable software holes (PDF). These pose a much higher risk considering that "everyone in the world" can exploit the vulnerabilities, not just the manufacturer of the device, Wysopal said.
Which isn't to say that backdoors aren't common - they are. But they're not (just) in gear from China. Reputable vendors such as Siemens and others have been caught outfitting their remotely deployed products with administrative back doors that make it easier for the company's engineers to support customer devices in the field, Wysopal notes.
And the story isn't much better when you look at the software applications that companies buy - or develop - to run on that hardware. Veracode, which does application security testing, finds that around 8 in 10 applications sent to it for testing fail on their first submission.