Do you know where your computer has been or at least parts of it? Your computer or other hardware and software has hidden risks. We call these supply chain risks. Hardware may have parts from several different sources and locations throughout the world. Applications can have their own components from various sources including open source software.
Open-source software is a type of computer software in which source code is released under a license in which the copyright holder grants users the rights to study, change, and distribute the software to anyone and for any purpose at no cost.
Each source is a link in a supply chain. A bad actor will target the weakest link in a supply chain and use their vulnerabilities to get access to other members of the supply chain including you, the end of the chain.
For example, Lenovo notebooks shipped with a program called “Superfish-Visual Discovery”. This program had a flaw that was not discoverable at the time by antivirus software. The program could allow a hacker to install a security certificate that would allow them to intercept your traffic and redirect you to a website set up by the hacker allowing them to capture your data.
A supply chain can have many layers, so how can you stay protected? The US Department of Commence has an Entity List which is a list of countries, companies and people that are considered to represent a risk to US national security. The list is over 270 pages long. The US government and others feel that, at the direction of the Chinese government, there are companies that would put into their hardware and/or software, technology that can put our country at risk.
The two companies most in the news are Huawei Technologies and ZTE. BIT has specific bans on their hardware in our contracts and those bans will soon be included in the BIT security policy, the ITSP. This may be challenging for BIT contractors to ensure compliance. For example, Huawei has 68 subsidiaries and affiliates in 26 counties. Huawei itself is indirectly owned by the Chinese Communist Party. Since the BIT bans the use of hardware, software or services from proscribed companies on the US Department of Commerce Entity List, this helps protect the State from supply chain risks.
In conclusion, any equipment the State has on the State domain and connected to the internet is at risk. This includes things like computers, servers, surveillance cameras, and the software that runs them. As technology continues to change at a rapid pace you can be assured that BIT will stay at the forefront of security. Threat actors are already trying to figure out a way into our supply chain and BIT will continue to evaluate our risk in order to protect you, your agency and South Dakota.
For more information on supply chain risks, contact us. We are always here to help!
Providing RESOURCES. Creating COMMUNICATION. Sharing SUCCESS.