Gartner Study Questions Integrity Of IT Supply Chain

By Ken Presti
October 18, 2012 8:04 PM ET

Page 2 of 2

Meanwhile, software can also be vulnerable. Middleware, language platforms, virtual machines and operating systems are frequently targeted and should be checked for package tampering and valid certificates.

"People attempted to insert back doors into Linux," Gartner's MacDonald said. "Open source is great and convenient, but a lot of these libraries are vulnerable. Some research suggests as much as 39 percent of the libraries are vulnerable. This is as much of a supply chain issue as selling contaminated hamburger. You cannot in good conscience bring the product to market."

MacDonald also related an example regarding back doors that came pre-installed on ZTE Score M smartphones being shipped to the United States.

"ZTE says it was just a software bug, but if that was the case, why wasn't it on all of the handsets, not just the ones going to the United States?" he asked.

These issues clearly factor into concerns by the U.S. and other governments about the use of equipment from ZTE and Huawei.

"Nothing has been publicly disclosed that shows that Huawei has done anything," MacDonald said. "But there are clear concerns about their alleged ties to the Chinese government, the formation of the company, how it is managed and similar factors. There is a genuine lack of transparency, and questions about whether or not they are truly independent from the Chinese government."

MacDonald added that Australia, Canada and the U.K. are also questioning the relative security of Huawei products. He expects that other countries will follow suit.

Gartner predicts that by 2016, a new, publicly disclosed, IT supply-chain-integrity-related incident, costing millions in remediation and data loss, will affect at least 25 percent of the Global 2000. The company further predicts that more than one-half of the data in enterprise storage will be encrypted by 2020, compared to five percent this year.

"There is no perfect security but that does not mean that we cannot raise the bar," MacDonald concluded.

PUBLISHED OCT. 18, 2012

<< Previous | 1 | 2

To continue reading this article, please download the free CRN Tech News app for your iPad or Windows 8 device.

Related: Videos | Slide Shows | Comments

SHARE THIS ARTICLE

More Security

Comments by Vanilla

Recent Articles

	10 Security Companies That Have Scored CIA Funding CIA-funded venture firm invests millions in technology startups, mostly security firms. Find out which security companies won In-Q-Tel funding.
	Head-To-Head: Symantec Vs. McAfee In Endpoint Protection McAfee and Symantec are archrivals with a firm grip on the North American security market. CRN pits both vendors' endpoint security products against each other and names a winner.
	The 8 Steps Behind The Massive $45M Cyber Bank Heist More than $45 million was stolen from banks in the U.S. and 19 other countries in a scheme that law enforcement is calling an international conspiracy to drain millions from bank accounts using stolen debit cards and PIN numbers. Here's how they did it.
	More Slide Shows