How secure are the IT components that go into our devices?
One of the most interesting and challenging security issues that can only be addressed by governments and large organization’s is the actual integrity of the computer products being purchased. While most of the world has worried about what American spy agencies might have embedded in systems over the years, the tables were turned several years ago when IBM sold it’s portable computer business to the Chinese. Since then, this issue has been festering with far greater stakes than ever before.
The House Permanent Select Committee on Intelligence last month, issued a report indicating that computer components and communications manufactured by two Chinese companies might have been altered to allow the Chinese government to spy on US enterprises. The report recommended that US government systems not use any component manufactured by Huawei and ZTE, both in the top 5 of the world’s largest telecom equipment makers. See Investigative Report on the U.S. National Security Issues Posed by Chinese Telecommunications Companies, Huawei and ZTE There’s an old security axiom that says “vulnerabilities are like cockroaches, for every one you see there are probably 99 more”. That’s certainly the feeling left from these studies.
According to Gartner Fellow Neil MacDonald, not using any Chinese manufactured components would not be an easy undertaking as many of the components inside US company products are from China. The issue is not about controlling or not using anything developed offshore, it is an issue of supply-chain integrity which McDonald believes is a concern for any technology company worldwide. What is needed is transparency from suppliers along the supply chain that reveals pertinent information about components and equipment used by businesses and government, such as: how it was created, where it originated and was sourced, etc. See article How Secure are the IT Wares You Buy
This is not an easy undertaking however, and requires diligence at all levels along the supply chain to ensure the overall integrity of the final delivered product. These issues offer an interesting parallel to the Cloud, in that we rely more and more on technologies we no longer understand. However, one has to wonder just how different is this than the days of the first radio or television. Technology has always had a degree of opaqueness.