Digital Back Door
After federal agents discovered and seized faux Cisco gear in Defense Department computers -- apparently produced in China -- there was some speculation that spies had tried to build in backdoor paths to sensitive or classified information.
The New Yorks Times' John Markoff had a typically facinating piece about the investigation.
"The new law enforcement and national security concerns were prompted by Operation Cisco Raider, which has led to 15 criminal cases involving counterfeit products bought in part by military agencies, military contractors and electric power companies in the United States. Over the two-year operation, 36 search warrants have been executed, resulting in the discovery of 3,500 counterfeit Cisco network components with an estimated retail value of more than $3.5 million, the F.B.I. said in a statement."
Now Joab Jackson at Government Computer News has an interesting idea: What if General Services Administration practices contributed to the problem?
"According to a set of Federal Bureau of Investigation presentation slides now floating around the Internet, part of the reason the bogus equipment ended up in military systems was that the General Service Administration's procurement language allows for two or three levels of subcontractors to be brought in by the winner bidder.
"This subcontracting can lead to the bidder purchasing hardware from non-Original Equipment Manufacturers, presumably to save money. The agencies would be none-the-wiser."
Here's a link to a Web page that has an FBI presentation about the case.
Computer security is a big deal. This kind of thing keeps happening. Anybody know whether there is any concern about the layers of code-writing that goes on around the world, every day, for projects that end up in the federal government?
By Robert O'Harrow |
May 16, 2008; 7:00 AM ET
Previous: Top Dogs |
Next: Sitting In A Tree, K-I-S-S-I-N-G
Posted by: upstate111 | May 20, 2008 10:22 AM
The comments to this entry are closed.
Robert, to answer your question re "concern," yes, there is concern, but it isn't actionable -- for several related reasons:
(1) security policy is measured and enforced at the network level, not in application code. In other words, the DoD internal networks are monitored, but no one inspects the source code being used for IT systems that actually run the Defense Department. Example: Oracle builds much of its ERP code off-shore, but I am aware of no Defense branch that actually performs source-code inspection to ensure that back doors aren't present in the code.
(2) The reason why this situation exists is cost. In other words, actions to stretch the taxpayers' dollars actually leads to inadequate funding for security inspections and for the skills necessary to conduct such inspections. The result is largely hidden, in part because DoD doesn't sufficiently fund oversight and verification. Take a look at some of the recent ERP implementations and compare the cost of personnel to commercial implementations. I am aware, for example, of one DoD Oracle implementation of a financial system where the prime wanted Oracle ERP skills at $30/hour, a cost far, far below the going rate in the commercial sector.
Ironically, the DoD's effort to reduce the cost of IT results in a lot of waste and rework. It is akin to hiring the cheapest painter for your house and then having to repaint a few months later because your cheap contractor didn't know how to do a paint job that would last for many years.