The National Security Agency (NSA) and the Trusted Computing Group (TCG) industry consortium have come up with validation software that can be used with any device and could go a long way to securing the supply chain for computing devices.
NSA Research and TCG worked for two years with Intel to develop the software and standards for a supply chain validation process, NSA said. Essentially, certificates defined by TCG and containing attributes about a device are created during manufacturing and delivered with that device in the Trusted Platform Module (TPM), which keeps the information secure during the process. NSA’s Host Integrity at Runtime and Startup (HIRS) software taps into that information in order to validate the source of components, linking it to the manufacturer.
The validation process can be applied to any device through multi-stage productions involving multiple vendors, NSA said, and is capable of identifying a wide range of possible risks, including the swapping of malicious components for legitimate ones.
“The development of open source tools for Trusted Computing-based supply chain validation provides the U.S. government with greater confidence in the security of our mission critical systems,” said Peg Mitchell, NSA CISO. “The cryptographically verifiable certificates that bind devices and peripherals to their trusted platform manufacturer will help reduce supply chain threats. This technology will bolster the security posture for NSA, the Department of Defense, and for commercial entities that require high confidence in the integrity of their systems.”
The supply chain poses one of the biggest cyber risks facing government systems, with the prospect that back doors and other hibernating malware can be inserted into hardware and software between its manufacturing origins and arrival in government systems, often after making a few stops along the way.
The issue was highlighted last October when Bloomberg reported on the alleged motherboard hardware hack by the Chinese from server-maker Super Micro which were sold to Apple, Amazon, and more than two dozen other companies. Super Micro, Apple, Amazon, and others furiously disputed that they’d been hacked, but regardless of whether that attack succeeded, the report did shed light on the fact that something like it certainly could have happened. Supply chain security is haphazard, the threats to it are real, and attacks occur regularly, as the Government Accountability Office and the Office of the Director of National Intelligence, among others, have pointed out.
A MITRE report stated that supply-chain attacks “can render our national capability to project power, hard or soft,…and collapse or even reverse the decision cycle.”
Accenture’s most recent Cyber Threatscape Report details how supply chain attacks have become an effective means of infiltrating victim organizations, and gives examples of attacks by Russia and China. And considering the “supreme concern” nations are giving to the weakening or weaponization of hardware, software, and firmware in the supply chain, the attacks are likely to continue. “Software supply chain tampering by resourced nation-state or criminal groups will continue to be used as a delivery method for increasingly sophisticated malware families,” the report said.
Supply chain risks are complicated because they encompass a product’s entire lifecycle, multiple stages of production and use, and often involve hardware, the Department of Homeland Security said while kicking off its own effort to combat the problem. DHS in October launched the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force to coordinate efforts in government and industry to develop holistic solutions.
Among the recommendations for shoring up the supply chain is “baking in” security during the acquisition process, which the Pentagon and Congress both have called for. NSA’s validation software promises to be a step in that direction. The agency and TCG want to make the process a new standard, similar to a digital background check in which certificates provide evidence similar to that of a birth certificate and history.