Government Perspective on Supply Chain Security

This is an interesting interview with a former NSA employee about supply chain security. I consider this to be an insurmountable problem right now.

Posted on October 18, 2018 at 6:27 AM • 18 Comments

Comments

HermanOctober 18, 2018 6:47 AM

This is why enterprise systems use deep packet inspection content filters and firewalls. The only defence is to actively monitor the network traffic.

One doesn't necessarily need to scan the packet contents, but one does need to gather statistics and then decide what to do about packets that seem to go places where they should not be.

David RudlingOctober 18, 2018 7:43 AM

The issue with trusting "supply chain security" seems to me to be the question "secure from whom"? If the US government were to establish a "secure" design and fabrication facility for essential components supervised by a technically competent agency such as the NSA, would anyone outside the US government trust the components produced there? So the market would likely be so limited that the economics would be dire. Oh wait, isn't that standard for US Government DOD type projects?

CykOctober 18, 2018 8:12 AM

@Herman: How do you, as a user in a corporate network, tell a MITM attack from a DPI filter?

Right, you can't. See the problem?

Impossibly StupidOctober 18, 2018 9:49 AM

@Herman

one does need to gather statistics and then decide what to do about packets that seem to go places where they should not

No; such reactive security strategies are inherently less effective than more proactive ones. For example, I never have had a need to visit a web site in China or Russia or India, or otherwise access networks in those countries. Nor has anyone in those (or many other) foreign countries hired me to do work for them. So while, on the face of it, the Internet is great for being open worldwide, most people don't have much legitimate reason to venture far beyond a very limited network neighborhood.

From a security standpoint, then, it should be pretty obvious that almost everybody should be following a whitelisting strategy rather than a blacklisting strategy. Yet most of our technology still seems to be based on the outdated assumption that everyone needs to access everyone at any time. Dispel that assumption and it becomes very clear that aggressive monitoring of all activity is the exact wrong thing to do. Or, put another way, if you can already determine the places traffic should and should not go, use that info itself to set your rules; there is no need to go to the effort of looking at all the packets en route.

MattOctober 18, 2018 9:52 AM

@Impossibly Stupid: Okay, so they set up a proxy in the U.S. that then forwards everything to China, or whatever.

TimothyOctober 18, 2018 10:15 AM

From Brian's article:

BK: What, if anything, are the takeaways for the average user here? With the proliferation of IoT devices in consumer homes, is there any hope that we’ll see more tools that help people gain more control over how these systems are behaving on the local network?

TS: Most of [the supply chain problem] is outside the individual’s ability to do anything about, and beyond ability of small businesses to grapple with this. It’s in fact outside of the autonomy of the average company to figure it out. We do need more national focus on the problem.

Hearing from national leaders on supply chain security and risk management is a welcome conversation to witness. It seems like such well-informed parties are aware of the complexities of the issue and the weights given to different elements of the equation – be it with regards to the hardware, software, third-party participation, update processes, economic considerations, etc.

When coordinated plans become actionable, it is always an interesting inflection point to analyze, such as with the ban of ZTE and Huawei phones on military bases. In line with the ZTE threat, Congress also held a June 2018 hearing reviewing ZTE's potential threat to small businesses, as those with smaller budgets are unduly vulnerable. There was also a Senate Homeland Security hearing that brought forth expert research and testimony on supply chain risk management in September of this year.

I thought some really valuable points to consider from Brian’s conversation with Mr. Sager were about the traceability of the supply chain, the economic decision making process, the risk of exposure an attacker must consider, the marketplace for cloud providers with regards to more secure components, the human dimensions, etc. The topic was extremely well covered, and I am grateful for the thoroughness of Brian’s questions, and the transparency and thoughtfulness of Mr. Sager's responses.

In the categorically related matter of 'Krebs who interview national security and industry leaders on the supply chain,' DHS’s Chris Kreb’s held an open panel forum on supply chain security with NSA's Rob Joyce, AT&T's John Donovan, and Palo Alto Network's Mark McLaughlin over the summer at DHS’s inaugural National Cybersecurity Summit. The observations and assessments are very much in line with both articles in today’s post. [The panel starts at 2:04.]

During the event, DHS announced the formation of a newly created ICT Supply Chain Task Force that will operate under a new DHS National Risk Management Center.

echoOctober 18, 2018 2:28 PM

I believe this is a generic problem. It can be found in many UK state instititions and the private sector so isn't something limited to the US or espionage or crime. Standards and a healthy scepticism have their place but without a reaoned bilateral or multilateral discussion organisational mistrust won't go away.

I'm not wholly convinced states or lower level organisations themselves can solve this which is why EU jurisprudence exists in certain cases that there is a compelling public interest that an issue is placed before the courts.

Given human nature there is a role for spies whether conducted by a nation state or "mystery shoppers" but I believe also there must be accoutnability or a "chain of command" and ultimately a fair hearing in an impartial court of law. By bringing state domestic abuse and inter-state abuse within the remit of treaties, democratic conferances, and ultimately a court with sufficient authority I believe thereis a possibility difficulties may be overcome without reactively reaching for nationalism or isolationism.

I would also suggest looking at game theory again.Steppign beyond the assasins teapot a lot of world trade involves coutry X supply country Y who may in turn supply country Z. By viewing the game as a hierarchy or winner takes all zero sum game and seeking to "dominate" and viewing the world as a set of interrelationships such as X may supply Y who supply Z where Y supples X who supplies Z and Y suuplies Z who supplies X you begin to view things less as command and control directing a narrative but more as a set of relationships reacting to circumstances to build a shared narrative. This narrative by its nature supplants adversarial behavior forcing linear conformity with a shared experience informing personal narratives.

"Feminist security" is a thing. I believe by only viewing the problem via a male dominated exclusive "boys toys" scheme that altenative views and a different tone and potential solutions are being edited out.

Bob Dylan's Nasal DripOctober 18, 2018 3:38 PM

FTA, "TS: Yes, you can put something into everything, but all of a sudden you have this massive big data collection problem on the back end where you as the attacker have created a different kind of analysis problem. Of course, some nations have more capability than others to sift through huge amounts of data they’re collecting."

Exactly. Which is one of the main reasons that I have been and remain skeptical about the constant patter of advice that so-called security experts give about the dangers of using public wifi. No hacker worth anything hacks public wifi seeking to sniff for passwords, it isn't worth the candle. First, it creates a huge data processing and analysis problem on the back end and second people with lots of money in their bank accounts aren't using public wifi to begin with. So the profit just isn't there, not compared to alternatives like phising.

GenieOctober 18, 2018 4:44 PM

Earlier this month, the Pentagon stopped selling phones made by the Chinese companies ZTE and Huawei on military bases because they might be used to spy on their users.

They sound like inexpensive and capable devices without the iPhone consumer product branding and case design. Probably nothing special as "security" goes, but par for the course with proprietary hardware and software design.

Where is, say, Apple sourcing their chips that ZTE, Huawei, or the U.S. military aren't?

It's that small-town "microbrew" delusion that the tavernkeeper has his own farm and harvests the hops and barley all by himself with a scythe just like his great-grandfather.

All the vodka comes from the same distillery in Moscow, Russia, and the party van is coming to pick up the trash because someone threw some Republican garbage in the Democrat can, and they can't sort it properly for recycling.

A GuyOctober 18, 2018 5:37 PM

Right now parts of the government are looking hard at the non-services parts of the DoD in the name of cost cutting. "Why do we need agency X, or Y"

"Why do we need people that buy, stock, warehouse, and track all the needs of DoD, from bullets to boots. Why don't we something like Amazon? Just hit a website with a credit card and have them ship the stuff where we want it."


So now you want no one to be responsible for sub-standard or just plain fake supplies and parts?

That's fine when I buy a handful of transistors and then end up being fake for a personal home project. Go and look, it happens a lot. Or how about last summer in the run up to the solar eclipse several Amazon suppliers sold fake solar glasses. Amazon caught it and refunded the money. I just tossed them out and got more from a different Amazon supplier.

Maddness


RatioOctober 18, 2018 6:00 PM

So many security-related problems, including this one, would have been solved long ago if only the potential contributions possibly made by important fields of knowledge such as Communist Cosmology, Left-Handed Linguistics, Masculine Mathematics, Otherkin Oceanography, and Queer Folk Quantum Physics were not systematically suppressed by the dominant power hierarchy.

(You’d probably never heard of many of these areas. That just shows how ruthlessly and totally these voices of unmatched wisdom have been and are being silenced. Of course I would love to share the plethora of profound and entirely relevant insights I’m referring to, but my oppressors would never allow it. It’s not like they don’t actually exist and only serve an endless faux victimhood narrative or anything like that.)

GenieOctober 18, 2018 6:08 PM

@A Guy

cost cutting. "Why do we need agency X, or Y"

"XYZ," like rotten schoolchildren say all the time. DNA is male-only. SSS registration, you're already a sex offender with that. DoD = Dear Old Dad.

It's all about the balls, because you certainly don't want XX. That's just someone to "double-cross" you. And you're not supposed to be "gay," either.

Just plain idiots. Not even capable of f$cking, because they don't want to have a sexual assault crisis in the military.

Clive RobinsonOctober 18, 2018 8:02 PM

@ Genie,

Where is, say, Apple sourcing their chips that ZTE, Huawei, or the U.S. military aren't?

You could look at the towns of Allen and Sherman in Texas.

It's not exactly been a secret the US Military have been looking long and hard at the iPhone due to the fact the ground troops use them not just for communications but developing training materials and all sorts of other things your typical MIC industrialist has not got a snow ball in hells chance of making at anything like the size or price or functionality.

Which is why Apple moved their core CPU designs etc and started doing chip manufacture in the US in Texes hand in hand with Korean Company Samsung some years ago, after China APT first kicked off...

If you want to read a bit more on it you can go the horses mouth as it were,

https://www.apple.com/newsroom/2017/12/apple-awards-finisar-390-million-from-its-advanced-manufacturing-fund/

Then there is that little Maxim place in San Jose Apple purchased for a song a few years back,

http://uk.businessinsider.com/apple-buys-small-chip-fab-2015-12

Which is not a million miles from this,

https://thenextweb.com/apple/2012/02/14/apple-funding-large-portion-of-samsungs-texas-chip-making-plant-says-analyst/feed/%7B%7B%20linkTracker/

I suspect Apple knows as much about supply chain security as anyone you are likely to come across, they have after all been bitten by it many years ago...

WeatherOctober 18, 2018 9:58 PM

Isn't FBI internal, maybe they have no skills in the topic, OOWA well that's live

Impossibly StupidOctober 18, 2018 11:26 PM

@Matt

Okay, so they set up a proxy in the U.S. that then forwards everything to China, or whatever.

I don't think you understand how whitelists work. Those proxies are just as unreachable as anything else that hasn't been cleared.

Wesley ParishOctober 19, 2018 6:04 AM

Supply Chain vulnerability - isn't that another name for Trusting Trust?

https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

One evening some years ago when I was not feeling my best, I decided to do a re-run of Rene Descartes' famous skepticism as he discusses it in his Discourse on the Method of Rightly Conducting the Reason, and Seeking Truth in the Sciences and in the mode of his asking, what evidences of the physical world can I trust? I would ask myself, what evidences of other peoples' trustworthiness can I trust?
http://www.earlymoderntexts.com/assets/pdfs/descartes1637.pdf

It is one way to go mad.

I eventually concluded that the basis of trust is empathy; if I could not feel that someone else had any empathy for me, or I for him, I would be unable to trust him (or her).

How does this relate to supply chain security? How do you build trust? How far do you trust that suppliers have trusted in trustworthy suppliers? How far along the supply chain do you trust? How far along is trustworthy?

echoOctober 19, 2018 9:30 AM

@Wesley Parish

I eventually concluded that the basis of trust is empathy; if I could not feel that someone else had any empathy for me, or I for him, I would be unable to trust him (or her).

I have felt similar too. or rather noticed that people I didn't trust or who felt I couldn't rely on didn't feel empathy or were empathic in the right way.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.