Page 1 of 2
Supply chain integrity will be identified among the top three security-related concerns of IT leaders by 2017, according to recent research by Gartner.
In a report entitled, "Living in a World Without Trust: When IT's Supply Chain Integrity and Online Infrastructure Get Pwned," the Stamford, Conn.-based market research company detailed the extent to which IT supply chains will be targeted and compromised in the near future, thereby forcing changes in market structure and how IT will be managed.
One recent example includes thousands of PCs that were shipped from China with counterfeit Windows OS and malware already installed before the systems were even broken out of their shrink wrap.
[Related: 7 Deadly Sins of Information Security]
"We looked at several cases," said Gartner research vice president Neil MacDonald. "Another one involved counterfeit Cisco routers that were found at multiple companies throughout the U.S. in 2008. In that case, there wasn't any sign of espionage; it was just counterfeiting. They were using substandard parts and trying to pass them off as legitimate while pocketing the difference in cost. If you actually knew what to look for, you could open it up and see that this was counterfeit. Some of this stuff was even purchased off of eBay, which, as you know, is not a best practice."
In an effort to reduce cost, the IT supply chain has continually become more focused on outsourcing to countries where labor costs are lowest. China, India, Brazil, Vietnam and Indonesia are typical examples. And with different components often coming from different places, validating the integrity of the devices can be a tall order.
MacDonald cited statistics indicating that counterfeit incidents more than doubled between 2005 and 2008, and indications suggest that the growth rate has not abated since that time. Recently, the General Accounting Office issued a report indicating that counterfeiting has been rampant even in components going into defense manufacturing.
"The problem is real," he said. "These are not isolated circumstances."
"You can minimize the problems by having stronger discipline in your procurement policy," MacDonald continued. "Expect the vendor to be able to prove the chain of custody and show you the bill of parts and be able to show the chain of custody for all of those component parts."