As if we did not need yet another potential source of supply chain related risks, a news story from Reuters notes that high tech and consumer electronics could be laden with malicious software.
According to a U.S. Congress member with considerable cyber security intelligence, hackers may be injecting malicious codes on electronic components at offshore manufacturing plants, planting tools to help launch future cyber-attacks.
Representative Jim Langevin (Democrat- Rhode Island) is a member of the U.S, House of Representatives committee on Armed Services and Intelligence and is privy to cyber threat information not publically disclosed. The Congressmen has sponsored the Executive Cyberspace Coordination Act of 2011. According to a House press release, the Act “would establish a National Office for Cyberspace to evaluate and enforce requirements for federal agencies to protect themselves and the public, make certain that the government buys the most advanced and secure technology possible, and train a workforce with the ability to defend us against attacks.” In a February 10th hearing held by the House Intelligence Committee, then CIA Director (now Secretary of Defense) Leon Panetta told the Committee, “the next Pearl Harbor may very well be a cyber attack.”
Readers may note that the Bill includes some provisions that can have supply chain related impacts. The Bill calls for changing federal acquisition policy to drive the market toward more secure products. It will be rather interesting to speculate what the Congress ultimately determines as policies for acquisition of secure products are to be. The release mentions “a vulnerability assessment for any system and its significant items of supply prior to development.” That sounds a lot like traceability or certification of supply sources.
Also mentioned is the establishment of the Office of the Chief Technology Officer within the Executive Office of the President. The first person ever appointed as CIO of the federal government recently resigned after two and a half years on the job and six months after releasing a 25-point plan on the consolidation of over 2000 federal data centers by 2015. What do you think the odds will be on the future tenure of a U.S. government CTO?
Do not misconstrue, cyber security is a real threat. Recent multiple attack incidents that have brought big companies down such as Sony, are ample evidence. Governmental policies and mandates can well be timely, but as is often the case, the devil is in the details of the policies.
In the meantime, consider the possibility that those electronic components embedded in your new tablet, smartphone or laptop could well be a facilitator of a cyber-attack. Consider that the database holding your company’s mission critical business data or process controls could be hacked by its own hardware host.
Time for another beer!
Bob Ferrari
Bob,
Great post! supply chain cyber security is an issue I have been looking into for the past several years. The problem is not as new or theoretical as some may think. The original Comprehensive National Cyber Security Initiative (CNCI) report included a recommendation to secure the government’s supply chains against embedded malicious code because the government has seen products shipped with report-back code and trojan horses.
But this is not just a “malicious action” problem; a few years ago a major retailer sold digital picture frames with embedded viruses–it turns out the manufacturer tested the product on a PC with outdated virus protections.
I hope more supply chain managers take notice and look at their supply chains a little more closely to see a more complete picture of the risks there. Dr. Sandor Boyson at University of Maryland has done some great work in this area. Only by understanding the risks can you protect your company, your customers, and your stakeholders.
-Taylor Wilkerson
Hi Taylor,
Thanks for sharing your perspective. Our commentary, although tongue-in-cheek, was meant to raise awareness to yet another growing dimension of supply chain risk.
Your comment needs to be emphasized- more supply chain managers, especially in the high tech sector, need to look more closely at the complete picture of risks, and how to avoid them as best they can.
Bob Ferrari