Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

The Government’s IT Supply Chain is Weak, Says GAO

The Department of Energy (DOE), Department of Justice (DOJ), and the Department of Homeland Security (DHS) need to tighten procedures and controls when it comes to mitigating IT supply chain issues, a recently published GAO report says. The Department of Defense was the only agency to make any progress on the issue.

The Department of Energy (DOE), Department of Justice (DOJ), and the Department of Homeland Security (DHS) need to tighten procedures and controls when it comes to mitigating IT supply chain issues, a recently published GAO report says. The Department of Defense was the only agency to make any progress on the issue.

According to the report, the GAO says that while the four agencies have acknowledged the threats that could exist in the supply chain, the DOE and DHS have no protection measures in place. The Department of Justice has protection measures, but no monitoring, leaving the Defense Department as the only agency with a positive report.

The GAO says that threats to the government’s IT supply chain include malicious logic on hardware or software; the installation of counterfeit hardware or software; failure or disruption in the production or distribution of a critical product or service; reliance upon a malicious or unqualified service-provider for the performance of technical services; and the installation of unintentional vulnerabilities on hardware or software.

Gregory Wilshusen, the GAO’s director of information security issues, told lawmakers this week that with purchases being made from all over the world, the agencies need to check them for vulnerabilities that could slip in at any point between the manufacturing and shipping process. “The global IT supply chain introduces risks that, if realized, could jeopardize the confidentiality, integrity and availability of federal information systems,” he added.

According to a report prepared by Northrop Grumman for the U.S.-China Economic and Security Review Commission and released in early March, U.S. Critical Infrastructure and supply chains are vulnerable. “Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety,” the report notes.

Video from the hearing, held by the U.S. House of Representatives Energy and Commerce Committee’s oversight subcommittee, is available online here

The GAO’s report is here

Related Reading: The Need to Secure the Cyber Supply Chain

Advertisement. Scroll to continue reading.

Related: Consortium Pushes Security Standards for Technology Supply Chain

Related: Students Develop Techniques to Keep Malware Out of the Electronics Supply Chain

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Supply Chain Security

Security researchers with NCC Group have documented 11 vulnerabilities impacting Nuki smart lock products, including issues that could allow attackers to open doors.Nuki offers...

Supply Chain Security

SBOMs can be used for managing risk and determining vulnerability impact, but it’s very hard to build holistic risk models when the data is...

Government

Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.

Application Security

Enterprise communication and collaboration platform Slack has informed customers that hackers have stolen some of its private source code repositories, but claims impact is...