Technology components in the U.S. supply chain that arrive from overseas can come embedded with security flaws, said Greg Schaffer, acting deputy undersecretary of the Homeland Security Department National Protection and Programs Directorate.
At the time of a January federal report on the U.S-China supply chain, conversations had been largely hypothetical about “backdoor” mechanisms, where outsiders insert faulty programming into foreign-manufactured devices that could shut down systems remotely or leak information.
“These pieces are embedded in software and hardware and people don’t know that. It’s very difficult to detect,” said Rep. Jason Chaffetz, R-Utah, chairman of the Subcommittee on National Security, Homeland Defense and Foreign Operations.
“Are you aware of any software or hardware components that have been embedded with security risks?” Chaffetz asked Schaffer.
“I am aware that there have been instances where that has happened,” Schaffer said.
That news follows congressional hearings on the growing fear nation states and rogue criminals are undermining the U.S. economy by hacking into proprietary data and other sensitive information. This spring, the White House released an international strategy and legislative proposal to bolster network security.
“To date, public discussion of the vulnerabilities of electronics components to malicious tampering has been largely theoretical,” the January U.S.-China Economic and Security Review Commission staff report said. It said “kill switches” could go in Pentagon systems to power down operations in response to remote commands. “The potential for harm is enormous, extending from simple identity theft by criminal enterprises to disrupting networks and defense systems vital to national security,” the commission wrote.