Greg Schaffer, acting deputy undersecretary of DHS’s National Protection and Programs Directorate, told a House panel last week that his office is “aware” of instances where malware was loaded onto software and hardware made in other countries and sold in the US.
Schaffer made the admission in response to a question by Rep. Jason Chaffetz (R-Utah), who sits on the House Oversight and Government Reform Committee. The committee was holding a July 7 hearing on the Obama administration’s cybersecurity proposal.
“Are you aware of any component software or hardware coming to the United States of America that has security risks already imbedded into those components?” Chaffetz asked.
Schaffer responded: “I am aware of instances where that has happened.”
Chaffetz followed up with the question: “What is Homeland Security doing about this?”
Schaffer admitted that “this is one of the most complicated and difficult challenges that we have.” He added that a task force was set up by DHS and the Department of Defense to examine ways of reducing instances of this occurring.
This was an issue identified in the White House’s Cyberspace Policy Review, which warned that the “challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products.”