IT supply chain security is weak at major U.S. agencies, says GAO
Lawmakers call on agencies to focus more on possible vulnerabilities embedded into IT products
IDG News Service - U.S. lawmakers called on three large U.S. government agencies, including the Department of Energy, to start monitoring their IT purchases for possible malware, counterfeits or other security flaws, after a watchdog agency pointed out potential vulnerabilities in their IT supply-chain procedures.
The three agencies, also including the U.S. Department of Justice and Department of Homeland Security, do not have plans to identify possible embedded threats in IT products or to monitor commercial IT products for embedded threats, said the U.S. Government Accountability Office, in a report released Tuesday.
With agencies buying hardware pieced together from components made all over the world, they need to check their purchases for vulnerabilities that could slip in at any point in the manufacturing and shipping process, Gregory Wilshusen, GAO's director of information security issues, told lawmakers.
"The global IT supply chain introduces risks that, if realized, could jeopardize the confidentiality, integrity and availability of federal information systems," he told the U.S. House of Representatives Energy and Commerce Committee's oversight subcommittee.
Of four national security-related agencies the GAO studies, only the Department of Defense has made significant progress toward identifying IT supply chain risks, despite an August 2009 standard on IT supply chain security published by the National Institute of Standards and Technology, the GAO said.
The GAO report prompted lawmakers to push Gil Vega, chief information security officer for the Department of Energy, to develop an IT supply chain security plan. The DOE, which oversees the nation's nuclear energy stockpile, began to address the concerns in the GAO report this month, when it first heard of them, Vega told the subcommittee.
"When will the Department of Energy finish its process of giving guidance to your suppliers to promote their supply chain's integrity?" said U.S. Rep. Cliff Stearns (R-Fla.). "When is that date going to be?"
A date is "hard to predict," said Vega, who has been the agency's CISO for just eight months. Vega said he's not aware of any cyberattacks at the DOE that resulted from supply chain vulnerabilities.
Supply chain risks are real, Stearns said. Based on the DOE's nuclear mission, "I think you should have been ahead of the curve, instead of, just in the last two weeks, giving guidance to your suppliers," he said.
But four of the five witnesses at Tuesday's hearing, including Wilshusen, said vulnerabilities in the IT supply chain were not the most pressing cybersecurity concern for most federal agencies. Cyberattacks from outside groups or involving insiders are a bigger problem for agencies, said Dave Lounsbury, CTO at the Open Group, an IT standards consortium working on supply chain security.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts