U.S. companies are closely monitoring foreign-sourced hardware, but other measures may loom.
Constant monitoring of the telecommunications supply chain by U.S. network providers has ensured the integrity of foreign-made equipment, but the U.S. government tentatively is exploring efforts to establish standards for companies to focus supply chain efforts. Other countries have incorporated more stringent approaches that might be implemented in the United States. U.S. government experts believe, however, that some of those approaches might actually be counterproductive if adopted by U.S. firms.
Concern has risen over the past few years that the commercial telecommunications supply chain is vulnerable to security breaches, particularly for components manufactured in foreign countries. Global telecommunications firms largely have instituted their own security measures based either on national guidelines, where available, or on consensus standards offered by domestic trade groups. In the absence of strict national standards and practices, companies adopt voluntary practices that provide the needed level of security.
These points were outlined in congressional testimony by Mark L. Goldstein, director of physical infrastructure issues for the Government Accountability Office (GAO). Highlights of his testimony that omit some sensitive information from a related GAO report note that U.S. telecommunications network equipment came from more than 100 foreign countries, and many components are manufactured both abroad and in the United States. Yet, no industry standards, let alone government regulations, exist that address all aspects of supply chain risk management.
According to the report, U.S. telecommunications companies select vendors for both security and reliability factors. These factors include past security performance and reputation, and some telecommunications firms establish vendor risk profiles scaled for critical components. Equipment destined for core networks is procured only from the most trustworthy vendors, company officials say, and in many cases, security practices are embedded in the purchase contract.
The report notes that federal government officials have warned two U.S. network providers against using certain vendors for national security reasons. Even if some countries are considered security risks, companies do not automatically disqualify vendors from those nations, the report states.
One potential threat area involves vulnerability testing. Many providers test equipment throughout its lifecycle using third-party testing firms, which perform tests such as vulnerability scans, penetration testing and source code analysis. Yet, third-party testing has several potential limitations, according to a recent congressional report noted in the GAO report. These include rigid test methods that may not conform to the way the tested equipment actually is installed in the network; equipment behavior that varies depending on how the gear is configured; and vendors that finance their own security evaluations, which can pose a conflict of interest. Also, the pace of technology changes is outstripping the evolution of third-party evaluation processes. This congressional report states that the ability of third-party testing to eliminate every significant vulnerability is “virtually impossible,” according to the GAO.
The U.S. government has begun efforts to weigh in on supply chain risks. An Executive Order, released in February calling for the National Institute of Standards and Technology to develop a framework for reducing critical infrastructure cyber risks, may include the telecommunications supply chain, although the extent remains to be established, according to the GAO report. Officials with the Department of Homeland Security say the department has not yet determined the degree to which it will be establishing authorities for the telecommunications supply chain, the report adds. Information sharing efforts among critical infrastructure elements may include threats to this supply chain.
The report notes that the Indian and United Kingdom governments have regulatory measures in place for supply chain security, and the Australian government is weighing a reform proposal to establish a risk-based regulatory framework. India holds telecommunications providers responsible for the security of their networks, including the supply chain, as part of their operating licenses. The United Kingdom’s Office of Communications enforces requirements on network and service providers to maintain both security and availability, although the office still is developing its enforcement approach.
The Australian proposal would require the country’s carriers and service providers to protect their networks and facilities from unauthorized access or interference. The government would provide guidance on network supervision and control, and it would have the authority to enforce these measures in the event of noncompliance.
The GAO report, however, warns that adopting some of these approaches in the United States could have detrimental effects on the telecommunications sector. Trade barriers, additional costs and constraints on competition are some of the potential effects that could arise from implementation of the supply chain security measures—some of which border on draconian—imposed by other nations on their telecommunications infrastructure. U.S. agencies would need to take these considerations into account before opting to implement some of these approaches, the report states.
The public version of the GAO report can be found at http://www.gao.gov/products/GAO-13-652T.