The Department of Energy (DOE), Department of Justice (DOJ), and the Department of Homeland Security (DHS) need to tighten procedures and controls when it comes to mitigating IT supply chain issues, a recently published GAO report says. The Department of Defense was the only agency to make any progress on the issue.
According to the report, the GAO says that while the four agencies have acknowledged the threats that could exist in the supply chain, the DOE and DHS have no protection measures in place. The Department of Justice has protection measures, but no monitoring, leaving the Defense Department as the only agency with a positive report.
The GAO says that threats to the government’s IT supply chain include malicious logic on hardware or software; the installation of counterfeit hardware or software; failure or disruption in the production or distribution of a critical product or service; reliance upon a malicious or unqualified service-provider for the performance of technical services; and the installation of unintentional vulnerabilities on hardware or software.
Gregory Wilshusen, the GAO’s director of information security issues, told lawmakers this week that with purchases being made from all over the world, the agencies need to check them for vulnerabilities that could slip in at any point between the manufacturing and shipping process. “The global IT supply chain introduces risks that, if realized, could jeopardize the confidentiality, integrity and availability of federal information systems,” he added.
According to a report prepared by Northrop Grumman for the U.S.-China Economic and Security Review Commission and released in early March, U.S. Critical Infrastructure and supply chains are vulnerable. “Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety,” the report notes.
Video from the hearing, held by the U.S. House of Representatives Energy and Commerce Committee’s oversight subcommittee, is available online here.
The GAO’s report is here.
Related Reading: The Need to Secure the Cyber Supply Chain
Related: Consortium Pushes Security Standards for Technology Supply Chain
Related: Students Develop Techniques to Keep Malware Out of the Electronics Supply Chain
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
