Current and past Pentagon officials today suggested that the government should incentivize defense contractors, banks, utility companies, and Internet service providers to strengthen their defenses against attacks that exploit vulnerabilities in the global supply chain.
"We're now worried [about] the integrity of the products coming into our global supply chain that might compromise businesses' confidentiality or the overall availability of those essential services," said Melissa Hathaway, a former cybersecurity official under both the George W. Bush and Barack Obama administrations.
What's that mean? It means that defense contractors and other so-called "critical infrastructure" providers, which use components made around the world, may well be in danger of buying counterfeit or compromised electronic parts. Fake parts such as microchips can be substandard and fail easily -- a nightmare for anyone in, say, the defense industry -- or they can be deliberately infected with spyware or a backdoor allowing an enemy to take over a piece of equipment.
"Products are being built, delivered, maintained, and upgraded all around the world, and they are vulnerable to opponents who wish [their end users] harm," said Hathaway during a speech at the Potomac Institute for Policy Studies today. This global supply chain "provides adversaries, or these opponents, with greater opportunities to manipulate the product from design through its entire life cycle" and may give those adversaries "access to those particular networks" in which the bogus or compromised parts have been installed.
The problem of counterfeit electronics in Defense Department supply chains is nothing new, but previous worries centered on concerns about those products being poor quality and failing while being used on weapon systems ranging from airplanes to submarines. But, now, the threat of parts designed to actually spy on or cause harm to U.S. products may be coming to fruition.
"There are certainly -- we've seen instances" of nefarious electronics, said Brett Lambert, deputy assistant secretary of defense for manufacturing and industrial base policy -- i.e., the Pentagon's man in charge of making sure its supply chain is safe -- when asked if DoD has discovered chips with built-in backdoors that could allow someone to spy on or take over the system that the part is embedded in.
So how do you protect against counterfeits in a world where weapons systems are made up of parts from dozens of countries?
One word, incentives, came up again and again during today's event. It seems the Pentagon has learned from Congress' recent failure to enact cyber security legislation that contained minimal security regulations. The bill elicited howls from Republicans and businesses, which claimed requirements would stifle business.
"I think the market tends to work pretty well. The market does tend to be, in many cases, self-correcting," said Lambert at the Potomac Institute event. However, "we can't always wait around for the market to self correct without some incentives."
Rather than imposing "onerous and objectionable" security standards on industry, "we're trying to come up with a reasonable approach where we work with the industrial base and the supply chain first of all to better understand the issues they uniquely face and then figure out what levers we have in the government whether they be on the incentive side via tax credits" or other methods.
One of the ideas floated repeatedly during the forum was giving tax breaks to companies whose products meet certain security standards -- similar to the way firms now receive tax credits for meeting environmental standards.
"We're really looking at incentives not disincentives," added Lambert. "My personal opinion is that strict regulations and restrictions when you talk about technologies never really work over a long period." Instead, they tend to stifle the agility and innovation required for industry to stay competitive in the technology arena, he said.
Dennis Bartko, special assistant for cyber to Gen. Keith Alexander, director of the National Security Agency, weighed in saying that while the agency doesn't come up with policy and regulations, "having some set of standards however that is, [so] that folks can know what good [security practices are] and what is the mark to shoot for seems to us to be really important. How one takes those standards and either incentivizes or moves to make progress in there is the subject that's up for a lot of debate right now."
The government should work with industry to "assist in crafting the commercial standards which drive the technology engine and [apply] those when appropriate" rather than dictate its own regulations "where we may finding ourselves coming up with great standards but alienating the very technological edge that we're seeking to obtain," added Lambert.
John Reed reports on the frontiers of cyber war and the latest in military technology for Killer Apps.