Microscopically small and enormously complex circuits inserted surreptitiously into military or security hardware could potentially turn U.S. weapons against their users, warned one of the nation’s leading experts on the threat.
Altered circuitry, also known as “malicious firmware,” can lie dormant in a piece of electrical equipment for several years until it recognizes a high degree of mobilization and lets loose a “logic bomb” on the system, said Scott Borg, director of the U.S. Cyber Consequences Unit, a nonprofit research institute.
“The logic bomb could shut down the larger information system or, worse, turn the equipment controlled by the information systems against those operating the equipment,” Borg wrote in an Internet Security Alliance report, “Implementing the Obama Cyber Security Strategy Via the ISA Social Contract Model.”
When asked at a press conference whether such an incident of sabotage had ever taken place in the United States, Borg said, “I can’t comment on that.”
The Obama administration acknowledged the problem in the Cyberspace Policy Review, which was released in May.
It is important to remember that inserting such technology into a U.S. weapon system is much harder than inserting malicious software, Borg said. It is expensive and time consuming to infiltrate a supply chain. Nation states may have the means and wherewithal to insert such technology, though.
“They are very interested in targeting hard-to-access systems, such as highly protected military, intelligence and infrastructure facilities,” the report said.
Such firmware could be installed in the design, fabrication, assembly, distribution or maintenance phases of the supply chain.
If caught, a nation might be subject to boycotts of its products. And the risk for a company that lets malicious firmware into its electronics is also great as it could mean the end of its business.
Criminals may also be interested in infiltrating the supply chain. In one case, credit card readers in northern Europe were corrupted when small phones were secretly installed inside them. They collected pin numbers and late at night phoned the thieves, who downloaded the financial information. Criminal enterprises also may be interested in tampering with automated security systems in order to gain access to secure facilities, he said.
Severe countermeasures that have been proposed such as government mandates to strictly oversee every piece of equipment destined for U.S. government use would not be economically viable. It would be so costly “that manufacturers would walk away from providing electronics to the government,” he said.
Among the Internet Security Alliance recommendations for securing the supply chain were tamper resistant seals and strict control of production across supply lines. Manufacturers should focus on beefing up security across the board.
“Any measures taken to protect against malicious firmware must be part of a more comprehensive security program,” Borg said. The U.S government may have to pay for this extra security, but it should be a “relatively modest” cost, he added.