How Secure are the IT Wares You Buy? Assuring the Supply Chain Integrity

A growing concern for enterprises is ensuring the integrity of the computer products they buy.

Gartner Fellow Neil MacDonald, along with colleague Ray Valdes, had been researching the topic of supply-chain integrity for months when the House Permanent Select Committee on Intelligence issued a report indicating that computer components manufactured by two Chinese companies might have been altered to allow the Chinese government to spy on Western enterprises, an accusation the manufacturers, Huawei and ZTE, deny [see House Panel: 2 Chinese Firms Pose IT Security Risks].

That news shed light on the lack of transparency within the IT supply chain, MacDonald says. "This issue of supply-chain integrity affects all of us and it affects all equipment," he says in an interview with Information Security Media Group [transcript below].

To mitigate the risks, enterprises need to demand more transparency. "Where did the product come from? Where did the components come from? How was it created? ... There are things that you can ask for and that you can require as a part of your procurement process, but you have to know to ask," he says. "I think that's where there's a growing awareness that people need to understand."

MacDonald says enterprises can ask for proof of testing and certifications. They also can ban procurement of any product from eBay and other third-party auction sites "where the assurance of the equipment is highly questionable," he says.

In the interview, conducted by Executive Editor Eric Chabrow, MacDonald:

  • Defines supply-chain integrity as it relates to enterprise IT hardware and software;
  • Explains what steps enterprises should take to assure the integrity of the IT wares they procure;
  • Ponders why supply-chain integrity will be among the top security-related concerns among Global 2000 IT leaders in the next three years.

MacDonald also holds the title of research vice president and serves on Gartner's information security and privacy research team. He joined the company in 1995. Previously, he worked as network specialist responsible for the planning, deployment, security and support of a 9,500-node multiprotocol and multiserver network.

Supply-Chain Integrity

ERIC CHABROW: First off, define supply-chain integrity?

NEIL MACDONALD: Supply-chain integrity can be simply defined as having assurance and trust in the integrity of an IT solution that's delivered to you, whether it's hardware or software, throughout the entire lifecycle of the solution. From it's creation in construction and assembly, to the point where it's shipped, delivered to you, deployed within your environment and ultimately maintained and serviced over time until it's retired, we need assurance and trust in that IT solution throughout its lifecycle, and that, at its essence, is the nature of IT supply-chain integrity.

CHABROW: Why is this becoming a big concern now?

MACDONALD: We had identified this as an emerging issue months ago and I embarked on this research project earlier this year. What has happened recently that has gotten mainstream attention on this issue was the reported early results of a U.S. Congress hearing that was held with Huawei and ZTE. These are two Chinese manufacturers of telecommunications equipment. Preliminary results were leaked that indeed these two firms may be banned from doing business in the U.S., certainly with U.S. government agencies, and all of a sudden the issue went from the back-burner to the front-burner. A lot of people had never heard of Huawei or ZTE. Now we're seeing them in the news because this was widely covered and it has the potential to spark a broader type of trade war if you played this scenario out.

CHABROW: If I recall those hearings, there was fear that the Chinese government may be using these Chinese firms to take some of their technology, which some people fear could spy on American companies and governments, perhaps taking trade secrets or other kind of secrets. Correct?

MACDONALD: That's the fear. If you dig into what actually transpired during the hearing, the largest complaint centered around the lack of transparency of the Chinese government and their involvement in these businesses. The argument from the representative from Huawei was that they're a commercial entity; they're a worldwide company. It would be corporate suicide if they did such a thing, but the pushback from the folks on the committee was, "How do we know what the relationship is between the Chinese government and your company? What influence do they have on your board? How was the company founded? Where did the money come from?" Ultimately it was that lack of transparency that was cited in this preliminary recommendation that these two companies be banned.

Lack of Transparency

CHABROW: I think this was pointed out by one of the company representatives, but they found these concerns unfounded. They nevertheless point out that this could happen from other companies as well, which I guess is what you're looking into.

MACDONALD: Right. If you look inside a Cisco product or you look inside any company's product, many of the components originate from China. So how far down this rabbit hole do we go before you lose trust in all of your IT systems? Many of the components and much of the software is created offshore and outside of the direct control of firms or governments. That was the point of ZTE. I believe it was their representative who said, "Why are you picking on us? This issue is not just about ZTE and Huawei. It's about all IT." And I agree with that.

What was called out in the preliminary report was the lack of transparency and the ownership and the influence that I talked about a moment ago. But this issue of supply-chain integrity in fact affects all of us and it affects all equipment. Even if you aren't using Huawei or ZTE equipment, you're affected or you have the risk of being affected by these issues and that was the point of our paper. We use Huawei and ZTE as examples within the paper, but there are many examples, including counterfeit Cisco parts that had made their way into various U.S. companies, including the FBI itself. That was one of the examples that we called out, that this is not just Huawei and ZTE. It's not just an issue for Chinese countries; it's an issue for any technology company worldwide.

Assuring Supply-Chain Integrity

CHABROW: A lot of our listeners are people responsible for IT security and risk management in enterprises. What should they be doing to assure supply-chain integrity?

MACDONALD: At one extreme you'll hear people say, "I don't even have time to worry about this problem." I actually disagree with that. Enterprises can certainly demand more transparency, the same type of transparency that the committee was asking of Huawei and ZTE. Organizations can ask for that level of transparency from your suppliers. Where did the product come from? Where did the components come from? Can your supplier show you a chain of custody from each component? How was it created? Where did it come from? Where was it sourced? Does the provider perform periodic sampling to make sure that there are not counterfeit parts introduced or back-doors that are introduced? For any software based components, are they performing security testing and looking for back-doors? Have outside third-parties certified the hardware designs or the software designs, or the in-between gray area of firmware?

Absolutely there are things that you can ask for and that you can require as a part of your procurement process, but you have to know to ask. I think that's where there's a growing awareness that people need to understand. They can ask their suppliers for this type of transparency, for proof of testing or proof of chain of custody, to certify their resellers, to ban procurement from eBay and other third-party auction sites where the assurance of the equipment is highly questionable. There are absolutely steps that organizations can take.

CHABROW: Do most organizations have the wherewithal to do that, or is there something the industry needs to do to assure that their products are safe?

MACDONALD: It comes from both sides. Enterprises should ask for this, and, likewise, vendors, whether it's HP, Dell, Cisco or a Huawei, should strive to be as transparent as possible. It comes from both sides, but the larger enterprises absolutely have the ability to influence the procurement process. It's just a matter of introducing this discipline in the questionnaires that you send your suppliers and the types of questions in survey responses that you require them to demonstrate.

Strategies for Small Businesses

CHABROW: What about smaller businesses?

MACDONALD: If you're a smaller business, you can look then to larger enterprises and what they approve for procurement, or you could look to a government that you trust. For example, say you're a U.S.-based small business, you could look to the types of equipment that the U.S. government approves for use on its networks, and you can infer a level of trust from that, even if you don't have the ability to directly influence the manufacturers yourself.

You can also restrict your purchases of equipment and software to tier-1 or tier-2 resellers, ones that are certified. Ideally, purchase directly if you can from the vendor, but don't go through a tier-1 or tier-2 reseller. Go through one that has been certified by the provider, but do not always procure based on lowest cost. And I would recommend against purchasing used equipment or software off of public auction sites.

The Role of Government

CHABROW: Is there any role in government in legislating anything to help in this situation?

MACDONALD: As you can see with what happened recently, the government is getting involved certainly for government procurement. What's happening though is this is having a domino effect into critical infrastructure protection. For example, in the paper we called out a communications infrastructure project in Australia where Huawei was banned because of national security concerns. Recently, within the past several weeks as a result of what the U.S. is doing, Canada is considering banning Huawei from one of its national telecommunications projects. There's a ripple effect here. As one of the western-aligned countries like the U.S. expresses a concern, you start to see other countries. Canada in this case is an immediate result of the preliminary report now changing their plan.

CHABROW: But that's for the direct dealing with Huawei, not necessarily the components in the Cisco product or something like that.

MACDONALD: I agree. The issue goes deeper. It's not just a problem with Huawei. Huawei has become the poster-child of this issue and it has raised awareness of this issue, but it would be a mistake to assume this only applies to Chinese-owned companies. The issue is pervasive in IT, given the global nature of the IT supply chains both for hardware and software.

IT Supply Chain: Top Security Concern

CHABROW: As I mentioned at the beginning of this conversation, Gartner predicts that in five years IT supply-chain integrity will be one of the top three security-related concerns by global 2000 IT leaders. Why so?

MACDONALD: There are a variety of reasons supply-chain integrity becomes a top-of-mind issue by 2017. Number one is it's already becoming a mainstream issue. We started this research about six months ago, before the congressional hearings and before the report that says accordingly that Huawei and ZTE are going to be banned. We felt the industry was on this track anyways and the recent events have only accelerated it. So if anything, it will be a top-three issue before 2017. We believe the projection will be spot-on. But why did we think that?

Even before what happened recently with the congressional testimony and their recommendation, the increasing interdependency and complexity of the IT supply chain, combined with the increasing motivation of hackers to find new ways to attack, means that inevitably supply chains will be targeted. If you can't attack a system successfully in production, then let's look backwards in time to when that system was created, how it was built, the people that handled it and shipped it, and let's look forward in time to how it's maintained and serviced over time. The bad guys that are looking to either steal our secrets or take our information or cause damage, they're looking for any vulnerability throughout the entire lifecycle, and that's by definition when we started the conversation of supply-chain integrity. How do I gain assurance in this IT system throughout its entire lifecycle?

There are a variety of reasons that we discuss in the paper, but the two biggest that contribute here are the growing complexity of IT supply chains and technology, as well as the changing motivation of the attackers.

Around the Network