FBI Concerned About Implications of Counterfeit Cisco Gear
SpicyBrownMustard writes "An FBI PowerPoint presentation provides details about a criminal investigation into counterfeit CISCO hardware originating from China, and sold by Gold/Silver partners to numerous US government, military, and intelligence agencies. The concern of the article's author and the FBI is that the counterfeit equipment may be state-sponsored to aid in accessing otherwise secure systems (slides 46+47). Says the article author: 'The threat is real. Compromised hardware of potentially hostile foreign origin sits within secure networks of the US government, military, and intelligence services. And as you now see, the FBI has been concerned about it.'" We've mentioned the seizure of some of this equipment before, but this presentation adds quite a bit of detail, and highlights the FBI's concern of Chinese government involvement.
> This is going to keep a lot of people awake at night.
As well it should, because they never should have allowed the production of critical national-security infrastructure components to be outsourced in the first place. Now that they've dug themselves into an impossibly deep hole, they're going to start complaining that the view sucks.
I think the first thing that needs to happen, is that some agency (the NSA seems the most suited) needs to create and bootstrap 'reference platforms' for various architectures. Create a secure compiler chain from the ground up, auditing code the whole way. There's no other way to be sure that you're not just compiling in backdoors, otherwise.
Then with that accomplished -- and it would need to be done for every architecture that needs to be secured -- they'd at least have a secure toolset and compiler chain to vet COTS code with. (It goes without saying that any product that doesn't come with source code, and which can't be compiled on a secure compiler and then have that object code loaded in and run, should be immediately removed from the secure infrastructure. It's beyond broken.)
It would be a major effort, and probably a large shift in scope for the agency put in charge of it, but I think the problem is too important to do anything less. The economic, political, and military security of nations is going to rest firmly on electronic infrastructure, and we need to make the trustworthiness of that infrastructure a national priority.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."