A top Department of Homeland Security official acknowledged on Thursday that some foreign-made components in American electronic devices have been found to be predesigned to allow cyberattacks.
“I am aware of instances where that has happened,” Greg Schaffer, who on June 5 was named acting deputy undersecretary at DHS’s National Protection and Programs Directorate, told a hearing of the House Oversight and Government Reform Committee.
After repeated questioning by Rep. Jason Chaffetz, R-Utah, Schaffer admitted that officials are aware of such tampering. The question of so-called “supply chain” security is controversial, given that many electronic components are manufactured overseas, but it is still unclear how pervasive the problem may be.
“Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions," the White House’s Cyberspace Policy Review says.
Despite the risk, the White House plan does not aim to blame specific suppliers. “A broad, holistic approach to risk management is required rather than a wholesale condemnation of foreign products and services," it recommends.
Schaffer was one of four top administration officials on hand Thursday to testify about the White House policy proposal, which calls for more information-sharing between private industry and government agencies and modifying the Federal Information Security Management Act to require continuous monitoring of government networks.
House Oversight and Government Reform is the latest of several congressional committees to examine the proposals, and Chairman Darrell Issa, R-Calif., said it was the first in a series on cybersecurity.
To encourage companies to share information about cyberattacks, the White House plan proposes to provide legal immunity for companies to cooperate. But Issa questioned whether the plan would adequately protect businesses from lawsuits.
He compared the situation to that of telecommunications companies that helped the government intercept communications after the 9/11 terror attacks. “We’ve been down the road of implicit versus explicit immunity before,” Issa said.
Ranking member Elijah Cummings, D-Md., voiced concern that the information-sharing provision could open the door to abuse.
“I agree that we should encourage information-sharing between industry and government, but we also have to be careful that personally identifiable information is appropriately protected and shared with the government only when necessary,” Cummings said.
Cummings also repeated long-standing congressional calls for an overall cybersecurity official who would be confirmed by the Senate. “It is important that the official responsible for implementing FISMA [the Federal Information Security Management Act] have the authority to task all civilian departments and agencies with implementation of the federal security standards,” he said.
Want to stay ahead of the curve? Sign up for National Journal’s AM & PM Must Reads. News and analysis to ensure you don’t miss a thing.
Leave a Comment