Imported software and consumer electronics are often shipped with purposely embedded malware, according to a Department of Homeland Security official's Congressional testimony.
Electronics sold in the United States are being preloaded with spyware, malware and security-compromising components by unknown foreign parties, Greg Schaffer, acting deputy undersecretary of the DHS National Protection and Programs Directorate, testified before the House Oversight and Government Reform Committee July 7.
There has been some concern about supply-chain security, as computers, portable devices and other electronic devices pass through several suppliers before the final product goes on sale. A federal report released January on the supply chain between the United States and China speculated the possibility that somewhere along the line someone could compromise a component or design a capability that could enable cyber-attacks.
"These pieces are embedded in software and hardware, and people don't know that. It's very difficult to detect," said Rep. Jason Chaffetz (R-Utah), chairman of the subcommittee, before directly asking Schaffer, "Are you aware of any software or hardware components that have been embedded with security risks?"
"I am aware of instances where that has happened," Schaffer said. He did not offer any details on actual components or the type of devices DHS had uncovered with harmful components.
This is a change from the language in the U.S.-China Economic and Security Review Commission staff report. The possibility of unknown parties maliciously tampering with electronics components has been "largely theoretical," the report said. Examples included "kill switches" being hidden in machines that would power down the system in response to remote commands.
Both Homeland Security and the White House have been aware of the threat for quite some time, Schaffer said. It is Homeland Security's responsibility to identify the technology that makes up the national infrastructure and defend it from cyber-attackers, but it's "one of the most complicated and difficult challenges" facing the department, Schaffer said. Foreign components can be found in practically every U.S.-manufactured device for both consumer and business use.
A joint task force by the DHS and the Department of Defense is investigating the problem, according to Schaffer.
Backdoors aren't necessarily limited to software applications, as hardware components, such as embedded RFID (radio-frequency identification) chips and Flash memory, could be compromised, according to the testimony.
However, it would be a challenge to determine whether vulnerabilities found in software and hardware were bugs that were overlooked or were inserted intentionally for malicious purposes. Even malware on hardware is not so clear-cut, as there have been instances of large companies accidentally distributing USB sticks infected with malicious software at conferences, such as IBM's mistake at AusCERT security conference in May last year. Kaspersky Lab CEO Eugene Kaspersky has spoken about receiving a Flash card at a conference that was infected.
The White House also released a Cyber Policy Review that said only a small number of these incidents have been uncovered, but the threat was nonetheless real. The White House is interested in offering incentives for private companies to share information with the federal government to help identify and defend against threats.
"A sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover," the report said.
The cyber-security session was the first in a series of hearings to examine the "threat to America's digital infrastructure," according to a statement by Rep. Darrell Issa (R-Calif.), the committee's chairman. Issa cited an Office of Management and Budget estimate that cyber-incidents against federal agencies have increased 39 percent in 2010.