Counterfeit or tampered-with equipment and
software, unintentional vulnerabilities in computer code, terrorist attacks by
nation states, organized criminals or hackers. Those are just some of the cyber
threats to government and industry tech suppliers identified at the latest in a
series of House Energy & Commerce Committee hearings on cybersecurity.
The
hearing, "IT Supply Chain Security: Review of Government and Industry
Efforts," was held in the Subcommittee on Oversight and Investigations.
Representatives
of the Government Accounting Office and the Departments of Defense and Energy
provided some sobering testimony in the hearing's first panel, including that
all of those agencies had work to do in securing the chain of technology and
software that went into government information technology, most of which is
off-the-shelf technology from private companies, and most of which is made up
of component parts supplied from companies outside the U.S. That raises the
threat of malware or other cyber attacks.
In
his testimony, Gregory Wilshusen, director of information security issues for
GAO, illustrated the challenge with a graphic of a laptop, whose LCD display's components
may have come from China, South Korea, the Czech Republic, Taiwan, Singapore, Poland,
or the Slovak Republic. A similar laundry list of countries was attached to the
memory, processor, and hard disk drive.
Not
surprisingly, industry representatives on a second panel said the solution to
securing supply chain IT is a combination of industry best practices, and for
the government to share more threat information with industry. Those are the arguments
made by industry for why current cybersecurity legislation should not rely on
government-mandated security regimes.
Both
Larry Castro of The Chertoff Group and Dave Lonsberry of The Open Group, said
industry should take the lead on securing the IT supply chain. Lonsberry said
that market pressure and the pace of innovation forces the market to respond to
threats.
The
growing profile of cybersecurity issues, including securing the chain of
supply, dovetails with administration push to put more government info online
and make it more accessible to the public, as well as the FCC's push for
similar online access.
There
is also the push for convergence of video and broadband the FCC has been
making.
Ranking
member Diana DeGette (D-Colo.) asked about the cybersecurity risks of video and
data converging on a common network accessible by a variety of devices. Castro
said a big issue is smart phone apps, which can become the front door to home
PCs and networks for attackers.
The
cable industry and other ISPS just last week agreed to adopt codes of conduct
for dealing with botnets, malware and other network threats.
