According to a top Homeland Security official, testifying before a hearing of the House Oversight and Government Reform Committee, computer software and hardware is being imported to the United States pre-loaded with security-defeats and spyware.

Greg Schaffer is Acting Deputy Undersecretary for National Protection and Programs at the Department of Homeland Security (at least he’s not the temporary acting deputy under… there are those too). 

Schaffer made a disturbing statement in response to a query by Rep. Jason Chaffetz, R-Utah, who first took care to state “the issue of software infrastructure (and) hardware built overseas with items embedded in them already by the time they get to the United States … poses, obviously, security and intellectual property risks.”

Rep. Chaffetz then asked, “A)  Is this happening, Mr. Schaffer?  And, B)  What are we going to do to fight back against this?”

After a moment’s obfuscation on the part of Schaffer, the representative sharpened his query, “Are you aware of any component software (or) hardware coming to the United States of America that already have security risks embedded into those components?”

Schaffer:  “I am aware that there have been instances where that has happened.”

The panel is considering a government proposal to tighten controls on imported computer equipment for use by critical government and communications infrastructure.* 

It would seem to me that that area would already have the highest possible standards.  How many times have we stated here that protections must lead threats, not lag, and that a proactive, provocative security awareness is necessary?

The hearing didn’t tease out whether imported equipment included consumer-grade technical components and software like retail media, laptops, desktops, consoles, etc.  However, if it’s determined that there’s a necessity to survey those imports, watch for consumer-grade items to jump in price, as cost of inspection and survey gets added to the bill.

* Meantime, the government isn’t doing everything possible to inspect and screen their own components?  In the age of botnets, key-logging software, password discovery mechanisms,  encryption-busting and other software that defeats and disables existing security programs, there’s no excuse.  The missing existence of a progressive, matching, security posture and aggressive monitoring and survey/scrub for malfeasance is unaffordable.

Further, when an aggressive program is in place, that program is affordable because there is no cold-start mount in the face of extreme security perils:  It’s kinda like riding a bike uphill; you get a good start on the stretch, and are then able to pedal into the hill… eventually, you get back on level ground and your effort eases – but you don’t relax – you’re readying for the next hill.  However, if you start on the hill, it’s tough to get going.

What has the government been doing if it is just now acknowledging import of infected components?  And… further, it is just now considering more stringent controls?  It’s past time to pedal faster.

For your environment:  True security demands an aggressive posture.  Be certain to have the right mind-set in your organization.  Review the security-themed posts here as necessary.

Keep pedaling.

On this day:  July 11^th, 1798 Congress creates the Marine Corps.