Security Experts:

The Government's IT Supply Chain is Weak, Says GAO

The Department of Energy (DOE), Department of Justice (DOJ), and the Department of Homeland Security (DHS) need to tighten procedures and controls when it comes to mitigating IT supply chain issues, a recently published GAO report says. The Department of Defense was the only agency to make any progress on the issue.

According to the report, the GAO says that while the four agencies have acknowledged the threats that could exist in the supply chain, the DOE and DHS have no protection measures in place. The Department of Justice has protection measures, but no monitoring, leaving the Defense Department as the only agency with a positive report.

The GAO says that threats to the government’s IT supply chain include malicious logic on hardware or software; the installation of counterfeit hardware or software; failure or disruption in the production or distribution of a critical product or service; reliance upon a malicious or unqualified service-provider for the performance of technical services; and the installation of unintentional vulnerabilities on hardware or software.

Gregory Wilshusen, the GAO's director of information security issues, told lawmakers this week that with purchases being made from all over the world, the agencies need to check them for vulnerabilities that could slip in at any point between the manufacturing and shipping process. “The global IT supply chain introduces risks that, if realized, could jeopardize the confidentiality, integrity and availability of federal information systems," he added.

According to a report prepared by Northrop Grumman for the U.S.-China Economic and Security Review Commission and released in early March, U.S. Critical Infrastructure and supply chains are vulnerable. “Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety,” the report notes.

Video from the hearing, held by the U.S. House of Representatives Energy and Commerce Committee's oversight subcommittee, is available online here

The GAO’s report is here

Related Reading: The Need to Secure the Cyber Supply Chain

Related: Consortium Pushes Security Standards for Technology Supply Chain

Related: Students Develop Techniques to Keep Malware Out of the Electronics Supply Chain

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.