Gartner Study Questions Integrity Of IT Supply Chain8:04 PM EST Thu. Oct. 18, 2012
Supply chain integrity will be identified among the top three security-related concerns of IT leaders by 2017, according to recent research by Gartner.
In a report entitled, "Living in a World Without Trust: When IT's Supply Chain Integrity and Online Infrastructure Get Pwned," the Stamford, Conn.-based market research company detailed the extent to which IT supply chains will be targeted and compromised in the near future, thereby forcing changes in market structure and how IT will be managed.
One recent example includes thousands of PCs that were shipped from China with counterfeit Windows OS and malware already installed before the systems were even broken out of their shrink wrap.
[Related: 7 Deadly Sins of Information Security]
"We looked at several cases," said Gartner research vice president Neil MacDonald. "Another one involved counterfeit Cisco routers that were found at multiple companies throughout the U.S. in 2008. In that case, there wasn't any sign of espionage; it was just counterfeiting. They were using substandard parts and trying to pass them off as legitimate while pocketing the difference in cost. If you actually knew what to look for, you could open it up and see that this was counterfeit. Some of this stuff was even purchased off of eBay, which, as you know, is not a best practice."
In an effort to reduce cost, the IT supply chain has continually become more focused on outsourcing to countries where labor costs are lowest. China, India, Brazil, Vietnam and Indonesia are typical examples. And with different components often coming from different places, validating the integrity of the devices can be a tall order.
MacDonald cited statistics indicating that counterfeit incidents more than doubled between 2005 and 2008, and indications suggest that the growth rate has not abated since that time. Recently, the General Accounting Office issued a report indicating that counterfeiting has been rampant even in components going into defense manufacturing.
"The problem is real," he said. "These are not isolated circumstances."
"You can minimize the problems by having stronger discipline in your procurement policy," MacDonald continued. "Expect the vendor to be able to prove the chain of custody and show you the bill of parts and be able to show the chain of custody for all of those component parts."
NEXT: Not Just A Hardware Problem
Meanwhile, software can also be vulnerable. Middleware, language platforms, virtual machines and operating systems are frequently targeted and should be checked for package tampering and valid certificates.
"People attempted to insert back doors into Linux," Gartner's MacDonald said. "Open source is great and convenient, but a lot of these libraries are vulnerable. Some research suggests as much as 39 percent of the libraries are vulnerable. This is as much of a supply chain issue as selling contaminated hamburger. You cannot in good conscience bring the product to market."
MacDonald also related an example regarding back doors that came pre-installed on ZTE Score M smartphones being shipped to the United States.
"ZTE says it was just a software bug, but if that was the case, why wasn't it on all of the handsets, not just the ones going to the United States?" he asked.
These issues clearly factor into concerns by the U.S. and other governments about the use of equipment from ZTE and Huawei.
"Nothing has been publicly disclosed that shows that Huawei has done anything," MacDonald said. "But there are clear concerns about their alleged ties to the Chinese government, the formation of the company, how it is managed and similar factors. There is a genuine lack of transparency, and questions about whether or not they are truly independent from the Chinese government."
MacDonald added that Australia, Canada and the U.K. are also questioning the relative security of Huawei products. He expects that other countries will follow suit.
Gartner predicts that by 2016, a new, publicly disclosed, IT supply-chain-integrity-related incident, costing millions in remediation and data loss, will affect at least 25 percent of the Global 2000. The company further predicts that more than one-half of the data in enterprise storage will be encrypted by 2020, compared to five percent this year.
"There is no perfect security but that does not mean that we cannot raise the bar," MacDonald concluded.
PUBLISHED OCT. 18, 2012