As if we did not need yet another potential source of supply chain related risks, a news story from Reuters notes that high tech and consumer electronics could be laden with malicious software.

According to a U.S. Congress member with considerable cyber security intelligence, hackers may be injecting malicious codes on electronic components at offshore manufacturing plants, planting tools to help launch future cyber-attacks.

Representative Jim Langevin (Democrat- Rhode Island) is a member of the U.S, House of Representatives committee on Armed Services and Intelligence and is privy to cyber threat information not publically disclosed. The Congressmen has sponsored the Executive Cyberspace Coordination Act of 2011. According to a House press release, the Act “would establish a National Office for Cyberspace to evaluate and enforce requirements for federal agencies to protect themselves and the public, make certain that the government buys the most advanced and secure technology possible, and train a workforce with the ability to defend us against attacks.” In a February 10th hearing held by the House Intelligence Committee, then CIA Director (now Secretary of Defense) Leon Panetta told the Committee, “the next Pearl Harbor may very well be a cyber attack.”

Readers may note that the Bill includes some provisions that can have supply chain related impacts. The Bill calls for changing federal acquisition policy to drive the market toward more secure products.  It will be rather interesting to speculate what the Congress ultimately determines as  policies for acquisition of secure products are to be. The release mentions “a vulnerability assessment for any system and its significant items of supply prior to development.” That sounds a lot like traceability or certification of supply sources.

Also mentioned is the establishment of the Office of the Chief Technology Officer within the Executive Office of the President.  The first person ever appointed as CIO of the federal government recently resigned after two and a half years on the job and six months after releasing a 25-point plan on the consolidation of over 2000 federal data centers by 2015.  What do you think the odds will be on the future tenure of a U.S. government CTO?

Do not misconstrue, cyber security is a real threat.  Recent multiple attack incidents that have brought big companies down such as Sony, are ample evidence.  Governmental policies and mandates can well be timely, but as is often the case, the devil is in the details of the policies.

In the meantime, consider the possibility that those electronic components embedded in your new tablet, smartphone or laptop could well be a facilitator of a cyber-attack.  Consider that the database holding your company’s mission critical business data or process controls could be hacked by its own hardware host.

Time for another beer!

Bob Ferrari