DHS has seen instances of malware and other cyber-attack tools pre-loaded onto consumer electronic devices, a cyber-security government official told Congressional lawmakers.
Imported software and
consumer electronics are often shipped with purposely embedded malware,
according to a Department of Homeland Security official's Congressional
Electronics sold in the
United States are being preloaded with spyware, malware and
security-compromising components by unknown foreign parties, Greg Schaffer,
acting deputy undersecretary of the DHS National Protection and Programs
Directorate, testified before the House Oversight and Government Reform
Committee July 7.
There has been some concern
about supply-chain security, as computers, portable devices and other
electronic devices pass through several suppliers before the final product goes
on sale. A federal report released January on the supply chain between the
United States and China speculated the possibility that somewhere along the
line someone could compromise a component or design a capability that could
"These pieces are
embedded in software and hardware, and people don't know that. It's very
difficult to detect," said Rep. Jason Chaffetz (R-Utah), chairman of the
subcommittee, before directly asking Schaffer, "Are you aware of any
software or hardware components that have been embedded with security
"I am aware of
instances where that has happened," Schaffer said. He did not offer any
details on actual components or the type of devices DHS had uncovered with
This is a change from the
language in the U.S.-China Economic and Security Review Commission staff
report. The possibility of unknown parties maliciously tampering with electronics
components has been "largely theoretical," the report said. Examples
included "kill switches" being hidden in machines that would power
down the system in response to remote commands.
Both Homeland Security and
the White House have been aware of the threat for quite some time, Schaffer
said. It is Homeland Security's responsibility to identify the technology that
makes up the national infrastructure and defend it from cyber-attackers, but
it's "one of the most complicated and difficult challenges" facing
the department, Schaffer said. Foreign components can be found in practically
every U.S.-manufactured device for both consumer and business use.
A joint task force by the
DHS and the Department of Defense is investigating the problem, according to
Backdoors aren't necessarily
limited to software applications, as hardware components, such as embedded RFID
(radio-frequency identification) chips and Flash memory, could be compromised,
according to the testimony.
However, it would be a
challenge to determine whether vulnerabilities found in software and hardware
were bugs that were overlooked or were inserted intentionally for malicious
purposes. Even malware on hardware is not so clear-cut, as there have been
instances of large companies accidentally distributing USB sticks infected with
malicious software at conferences, such as IBM's
mistake at AusCERT security conference in May last year. Kaspersky Lab CEO
Eugene Kaspersky has spoken about receiving a Flash card at a conference that
The White House also
released a Cyber
Policy Review that said only a small number of these incidents have been
uncovered, but the threat was nonetheless real. The White House is interested
in offering incentives for private companies to share information with the
federal government to help identify and defend against threats.
adversary might narrowly focus on particular systems and make manipulation
virtually impossible to discover," the report said.
The cyber-security session
was the first in a series of hearings to examine the "threat to America's
digital infrastructure," according to a statement by Rep. Darrell Issa
(R-Calif.), the committee's chairman. Issa cited an Office
of Management and Budget estimate that cyber-incidents against federal
agencies have increased 39 percent in 2010.