Recent events have raised the concerns about hidden backdoors and malicious code inside of counterfeit hardware -- all the way down to the integrated circuit level.
In fact, a 2005 report by the Pentagon's Defense Science Board addresses this issue. While this report assessed the problem, recent events have now raised the anxiety over cyber sabotage in bogus hardware. In fact, many consider the use of compromised counterfeit hardware as a strategic tactic in cyber warfare.
In January of 2008, a joint task force seized $78 million of counterfeit Cisco networking hardware. This international effort resulted in over 400 seizures of counterfeit networking hardware that was shipped between China, Canada and the United States. This international effort between the Federal Bureau of Investigations (FBI), U.S. Immigration and Customs Enforcement (ICE), US Customs and Border Protection (CBP), the Royal Canadian Mounted Police (RCMP) and supported by other agencies within the Department of Homeland Security (DHS) clearly shows the criminal efforts that are underway.
This investigation has been underway for the last two years and has shown great results.
- 36 search warrants
- 115 seizures by ICE
- 373 seizures by RCMP
- 74,000 total counterfeit components confiscated
While there has been no public disclosure of counterfeit hardware sabotage/espionage on America by foreign countries or rogue groups, the threat is there. Supply-Chain threats have now moved into the spotlight and many organizations are moving to address the threat of purchasing counterfeit computer related equipment. Sources at Spy-Ops told me that in 2008 they estimate counterfeit computer hardware will exceed $1.25 billion and that current security measures such as holographic labels on integrated circuits and printed circuit boards are no longer adequate means to identify authentic equipment.
Michelle Kalnas, a supply-chain subject matter expert working with me on this issue pointed out that refurbished computer equipment poses the same threat and is more difficult to control. She went on to say that, "Close coordination between the security department and purchasing with external critical equipment vendors is necessary to resolve this issue. But at this time it is the exception not the rule."