What’s Needed Now: Supply Chain Integrity Testing

Linda Musthaler
By | April 15, 2014

Posted in: Network Security Trends

Listen up, all you security experts who want to be an entrepreneur! John Pescatore, the SANS Institute Director of Emerging Security Trends, sees an opportunity for the Next Big Thing in tech security. In Pescatore’s view, there’s a growing need for supply chain integrity testing.

In the wake of all the digital spying revelations let loose by the Edward Snowden documents, there is now a general lack of trust in the hardware and software that we all use to build and manage our networks.Last December, the German magazine Der Spiegel published an article outlining how the U.S. National Security Agency supposedly has something like a catalog that lists various tools that NSA employees can acquire to tap into their target’s data. The magazine asserts that the NSA can silently break into commercial products from companies like Juniper, Cisco, Dell, Huawei and others to snoop on the companies that have deployed these technologies.

Even before that there were accusations that telecommunication products from Chinese companies Hauwei and ZTE Corporation had backdoors that allowed the Chinese government to intercept the world’s communications. Pescatore says the problem was so bad that Huawei funded a testing center in the UK so that British Telecomm could verify the integrity of the equipment it was putting into its network.

When Pescatore was a Gartner analyst, he took a briefing from another Chinese vendor, NSFocus, on how they were trying to sell into the U.S. market. “They had a slide with a big elephant on it,” he says. “Yes, that represented the ‘elephant in the room.’ Just why would anyone in the U.S. trust security equipment from a Chinese company?” Pescatore says NSFocus allayed prospective customers’ fears by paying a U.S. company, Vericode, to do software inspection and software testing. “This was essentially the same thing that the UK was doing with Huawei. Vericode would inspect their code and prove to anybody who wanted to buy NSFocus equipment that it did what it was supposed to do and didn’t have hidden capabilities or backdoors.”

These days, product components are manufactured and sourced from all over the world. It’s practically impossible to say, “I only want to use American-made products on my network.” Even though that server or router may have an American company’s logo on it, chances are that the components were made and probably assembled outside the country. That gives spies ample opportunity to load software that can surreptitiously monitor your activities once the equipment is installed. And conversely, many people now think that U.S. products come with hidden software that allows the government to spy on the purchasers.

So what is this great opportunity for security-minded entrepreneurs? Pescatore thinks we need a neutral, third party testing lab where vendors or end customers can bring equipment or software to have it thoroughly inspected and tested for anything that should not be there. Pescatore says the U.S. government has a few initiatives like this underway but something similar is needed for the private sector.

“If you think about the payment card industry,” says Pescatore, “it has standards for point-of-sale terminals. There is essentially a certification program. People who sell point-of-sale terminals know that customers are going to swipe credit cards so they have to have somebody inspect and test those devices to make sure they aren’t pre-configured with software that is going to allow a criminal to access the device and steal payment data.” He says we now need this same capability for computer equipment—especially security devices.

Entrepreneurs, are you listening? Venture capitalists, get out your check books. Computer supply chain integrity testing could be the next big money-maker as companies need assurances about the hardware and software they install.


You May Also Be Interested In: