House Vets Its Supply Chain Security

Agencies still have work to do in securing the chain of technology and software that went into government information technology

John Eggerton -- Broadcasting & Cable, 3/27/2012 12:45:06 PM

Counterfeit or tampered-with equipment and software, unintentional vulnerabilities in computer code, terrorist attacks by nation states, organized criminals or hackers. Those are just some of the cyber threats to government and industry tech suppliers identified at the latest in a series of House Energy & Commerce Committee hearings on cybersecurity.

The hearing, "IT Supply Chain Security: Review of Government and Industry Efforts," was held in the Subcommittee on Oversight and Investigations.

Representatives of the Government Accounting Office and the Departments of Defense and Energy provided some sobering testimony in the hearing's first panel, including that all of those agencies had work to do in securing the chain of technology and software that went into government information technology, most of which is off-the-shelf technology from private companies, and most of which is made up of component parts supplied from companies outside the U.S. That raises the threat of malware or other cyber attacks.

In his testimony, Gregory Wilshusen, director of information security issues for GAO, illustrated the challenge with a graphic of a laptop, whose LCD display's components may have come from China, South Korea, the Czech Republic, Taiwan, Singapore, Poland, or the Slovak Republic. A similar laundry list of countries was attached to the memory, processor, and hard disk drive. 

Not surprisingly, industry representatives on a second panel said the solution to securing supply chain IT is a combination of industry best practices, and for the government to share more threat information with industry. Those are the arguments made by industry for why current cybersecurity legislation should not rely on government-mandated security regimes.

Both Larry Castro of The Chertoff Group and Dave Lonsberry of The Open Group, said industry should take the lead on securing the IT supply chain. Lonsberry said that market pressure and the pace of innovation forces the market to respond to threats.

The growing profile of cybersecurity issues, including securing the chain of supply, dovetails with administration push to put more government info online and make it more accessible to the public, as well as the FCC's push for similar online access.

There is also the push for convergence of video and broadband the FCC has been making.

Ranking member Diana DeGette (D-Colo.) asked about the cybersecurity risks of video and data converging on a common network accessible by a variety of devices. Castro said a big issue is smart phone apps, which can become the front door to home PCs and networks for attackers.

The cable industry and other ISPS just last week agreed to adopt codes of conduct for dealing with botnets, malware and other network threats.