When the IT Supply Chain is Compromised "Inside the Wire"

By Kevin Freeman
October 10, 2017Oct 10, 2017

The term "inside the wire" generally suggests a zone of safety. Going outside the wire suggests being at risk. But what happens when the enemy gets inside the wire? Extreme threat.

Our society has become increasing dependent on electronics and information technology (IT). With that dependence, we recognize that there are numerous external vulnerabilities. Hackers, for example, can break into Equifax and steal our personal information. The North Koreans can break into South Korea's defense establishment and steal war plans. Not a week goes by without some sort of massive hack being discussed prominently. In response, we have turned to a cadre of technical advisors and security experts. We add the latest and greatest software. We employ strict measures of protection.

So what happens when our trusted sources for security are themselves compromised? This is the same as allowing an enemy to get inside the wire. It is an extreme threat. This was noted by Samantha Ravich from the Foundation for the Defense of Democracies and Michael Hsieh at the Council on Foreign Relations in The Cipher Brief:

Expelling Digital Demons from U.S. Sensitive Supply Chains

August 16, 2017

The open manner with which U.S. national security enterprises bid for goods and services can be exploited by U.S. adversaries seeking to inject counterfeit or malicious components into sensitive electronic hardware. The unprecedented challenge of policing the vast and complex supply chains for such hardware will require radical innovation in technology and governance to ensure that the rules-based system of international trade that the U.S. has long championed is not degraded into a chaotic arena of unrestricted economic warfare.

It is beyond dispute that the supply chains for the electronic hardware used by U.S. armed forces are under attack. Security researchers have documented multiple cases of sophisticated, malicious functionality being surreptitiously introduced into such hardware potentially allowing an adversary, in times of crisis, to turn our own devices against us. But even if this worst-case scenario fails to materialize, the uncertainty in both the reliability of U.S. warfighting arsenal and the civil infrastructure upon which U.S. national security industrial base relies, imposes a cost in its own right.

In 2011, it was reported that, "1,700 supposedly-new memory parts from an ‘unauthorized distributor' showed signs of previous use, prompting the Missile Defense Agency to have to call for almost 800 parts to be stripped from the assembled hardware." Then-head of the Missile Defense Agency, Lieutenant General Patrick O'Reilly, testified before the Senate that, "We do not want a $12 million THAAD [Terminal High Altitude Area Defense] interceptor to be destroyed by a $2 part."

These supply chain attacks are seen as a particular kind of cyber-enabled economic warfare. U.S. national security leadership is confronted with the problem of blunting the aggression of foreign powers who have perverted the peaceful bonds of international trade into channels of espionage and sabotage, while preserving as much as possible the open nature of global trade on which U.S. economic prosperity depends. In lieu of seeking promises of better behavior from adversaries, which are hard to verify, or erecting import restrictions that can trigger a cascade of mutual retaliation, we endorse a mix of technology and governance innovation based on detection and deterrence.

The complexity and scale of the transactions that comprise U.S. sensitive supply chains create a kind of informational fog in which adversaries can hide . . .

We have been warning about this for quite some time. Just recently, however, have our warnings come to life in frightening ways. Rather than go into details, I'll offer a few links and brief explanations regarding recent headlines. You will get the idea.

The NSA was broken into because a contractor using Russian security software?

Russian-based Kaspersky software believed to been used to take classified NSA data

CBS NEWS October 5, 2017, 11:51 PM

Russian-based Kaspersky Lab software was believed to have been used to take very sensitive and classified NSA data from an NSA contractor's personal computer, CBS News confirmed Thursday, resulting in a significant security breach.

First reported by the Wall Street Journal Thursday, the 2015 hack occurred when the contractor took the data with him from the NSA and then loaded it onto his personal computer, which had Kaspersky antivirus software on it. The software enabled Russian hackers to see his files. The hack has still not been disclosed by the government, according to the Wall Street Journal ….

What is so dangerous about this is that access to NSA files opens up tools that can be used to hack almost anything as noted in this CNN article:

NSA's powerful Windows hacking tools leaked online – Apr. 14, 2017 

Apr 14, 2017 – A hacking group has dumped a collection of spy tools allegedly used by the National Security Agency online. Experts say they are damaging. The exploits, published by the Shadow Brokers on Friday, contain vulnerabilities in Windows computers and servers. They may have been used to target a global banking system. One collection of 15 exploits contains at least four Windows hacks that researches have already been able to replicate . . .
How do we know this? Apparently, the Israelis hacked Kaspersky (the Russian security software). From The Washington Post:

Israel hacked Kaspersky, then tipped the NSA that its tools had been breached

By Ellen Nakashima October 10, 2017 at 7:22 PM

In 2015, Israeli government hackers saw something suspicious in the computers of a Moscow-based cybersecurity firm: hacking tools that could only have come from the National Security Agency.

Israel notified the NSA, where alarmed officials immediately began a hunt for the breach, according to people familiar with the matter, who said an investigation by the agency revealed that the tools were in the possession of the Russian government.

Israeli spies had found the hacking material on the network of Kaspersky Lab, the global anti-virus firm under a spotlight in the United States because of suspicions that its products facilitate Russian espionage.

Last month, the Department of Homeland Security instructed federal civilian agencies to identify Kaspersky Lab software on their networks and remove it on the grounds that "the risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security." The directive followed a decision by the General Services Administration to remove Kaspersky from its list of approved vendors. And lawmakers on Capitol Hill are considering a government-wide ban . . .

Is there any wonder that Russia rejects foreign software? From Reuters on CNBC:

Putin tells Russia's tech sector: Ditch foreign software or lose out

Russian technology companies will lose out on state orders unless they switch to using home-grown software, Russian President Vladimir Putin was quoted as saying on Friday.

Putin said that, in some spheres, state institutions could not work with companies running foreign software because that represented a risk for national cyber-security . . .

It should be noted that while the Kaspersky risk is significant, it is not the only recent example. CCleaner software was targeted and compromised. Like Kaspersky, consumers and institutions have relied on CCleaner to keep their computers safe. A single compromise on a single network computer can put the entire ecosystem at risk. From BBC News:

Alert over booby-trapped security software

18 September 2017

A security company has issued a warning after its software was compromised by malicious hackers.

Piriform told users a booby-trapped version of its CCleaner software had been made available in August and September.

Millions of people use the CCleaner program to remove unwanted junk from Android phones and Windows PCs.

Piriform's owner, Avast, said it had managed to remove the compromised version before any harm had been done . . .

Of course, besides software there is also the risk of rogue contractors such as Edward Snowden and rogue employees. The most famous recent example of rogue IT employees is the suspicious case of the Awan brothers working for a Congresswoman who was recently head of the Democratic Party, Debbie Wasserman Schultz (along with quite a few other Democrat Congress members). There's so much to this story that we could never do it justice. And, we are just getting the facts a few at a time. But there is enormous smoke and it involves an IT staff with ties to Pakistan basically with full access to all the information in the House of Representatives and the Democrat National Committee. Here is a link to the latest:

The Democrats' IT scandal just got even more bizarre

by Frank Miniter, Fox News October 10, 2017

Perhaps you've lost track of the Democrats slowly exploding IT scandal, as much of the media is doing all it can to simply ignore it away.

I'm referring to the strange case of Imran Awan, the IT aide Rep. Debbie Wasserman Schultz, D-Fla., kept on her congressional payroll even after it became known he and his wife, Hina Alvi Awan, were being investigated by the Capitol Police for possible theft, fraud, moving terabytes of data off Congress's system and more . . .

There are, of course, many other examples of compromised employees but this is one of the most significant and most bizarre.

We also have examples of compromised regulators such as we just learned about with the SEC. So what happens when a regulator insists on checking your network for vulnerabilities but they have already been compromised? Or what happens when a trusted contractor shows up with software to safeguard your network while unwittingly compromising it? The truth is that the bad guys know how to use force multipliers by targeting those we trust to keep us safe.

The Chinese have adopted a different approach. They force all suppliers to bend to their rules and even to turn over security secrets. This could enable them to get backdoors into whomever is working with them and thus gain access to all of that suppliers customers. So, should we be worried that Apple has bowed to Chinese demands? What about Microsoft turning over all source code as demanded by China?

Even if the Chinese aren't looking for ways to compromise everyone, they are still able to use forced technology transfer as a direct means of economic warfare. Technically, it's not Intellectual Property theft because the suppliers allow the transfer to gain market access. But it is clear-cut economic warfare on a grand scale.

So, the way we do business by accepting IT supply contracts creates risks inside our wire. Russia works hard to keep external suppliers outside their wire. The Chinese allow outside suppliers but only if they turn over their security secrets. Why is it that our approach seems the most naive and creates the greatest vulnerabilities?

There is some good news. President Trump has recently blocked a Chinese supplier that posed a threat of IT compromise. From Bloomberg:

Trump Blocks China-Backed Lattice Bid

Bloomberg News

President Donald Trump blocked a Chinese-backed investor from buying Lattice Semiconductor Corp., casting a cloud over Chinese deals seeking U.S. security clearance and spurring a call for fairness from Beijing.

It was just the fourth time in a quarter century that a U.S. president has ordered a foreign takeover of an American firm stopped on national-security concerns. Trump acted on the recommendation of a multi-agency panel, the White House and the Treasury Department said Wednesday. The spurned buyer, Canyon Bridge Capital Partners LLC, is a private-equity firm backed by a Chinese state-owned asset manager.

That is a step in the right direction. It shows a recognition of the problem and a willingness to address it. The President is also considering using his office to block forced technology transfers. Samantha Ravich and Michael Hsieh offer an additional glimpse of hope regarding how a free society can reduce the threat by using Blockchain technology. Here are some additional excerpts from their Cipher Brief article:

The complexity and scale of the transactions that comprise U.S. sensitive supply chains create a kind of informational fog in which adversaries can hide. However, if the information associated with each such transaction can be projected onto a timely and granular digital dataspace, the U.S. can harness the power of modern machine learning methods to identify suspicious activities within its supply chains at scale. Although there are many technologies with which this dataspace can be constructed, we believe the blockchain has, even in its nascence, demonstrated that it has the economy, security, and power that make it the ideal technology for this purpose.

Simply put, the blockchain is a ledger of business transactions whose validation is distributed to a large network of participants that are well incentivized to coordinate their efforts to prevent bad actors from tampering with the ledger's events. The nature of the incentives and the nature of the efforts ensures that the honest participants do not have to consciously collaborate; the collective weight of their honest efforts is enough to safeguard against tamper motivated by theft, sabotage, or any other reason.  This is evidenced empirically by the security of the bitcoin blockchain protocol over its nine years of existence.

We acknowledge the risks and challenges that this approach entails. Blockchain technology is new, and legacy acquisitions systems are deeply ingrained. However, the existential dangers introduced by the supply chain threat and the unprecedented scale of the systems engineering problem of defeating them calls for solutions that are as potent as these problems are hard. The blockchain is not the only technology that will be required for a fully-articulated solution, and technology will need to be joined with similarly bold innovation in governance.

Our broader hope in spotlighting a technology as revolutionary as the blockchain for the national security mission is that the U.S. can, through example, shorten the lag between technological innovation and governance practice. We also seek, through this advocacy, to create an enduring collaborative dynamic between the government and technology communities in which technologists need not relinquish working on the most exciting technologies of the day if they choose to help solve national security problems of gravest importance.

This is clearly a very serious issue. If we focus on it and address the risks, we can find effective means of mitigating the threats at least at the defense department level. In regard to personal computer users, we will have to be ever vigilant. The days of simply trusting security software to protect your computer have ended. This is especially true for those who have relied on foreign applications. Hopefully American suppliers will adopt some best practices and use the Blockchain for securing their systems so they can better serve us.

This is a global cyber-economic war. We must all get on a war footing.