"We are aware of several critical infrastructure organizations that outsource development projects overseas," says Robert Huber, a principal investigator with Critical Intelligence in Idaho Falls, Idaho, a company specializing in security for critical infrastructure providers. "Without a thorough security review by someone in your organization, you have no idea of the issues that are being introduced to your networks that may expand your attack surface." Malware inserted into software in the "software supply chain," as it is being written, can leave companies vulnerable to theft of their intellectual property, he says.
Software products that defense contractors supply to the Pentagon, for use in microelectronic and telecommunications, are also at risk. Most contractors have geographically dispersed supply chains that create "a vulnerability of potential insertions of malicious hardware or embedded software on the hardware components," the US-China Economic and Security Review Commission warned in a report last year to Congress.
Problems the report cited included a desktop computer purchased by the Army and made in China by Lenovo. The new computer was discovered to be "beaconing" (attempting all by itself to establish a connection) "to a suspicious foreign entity," the report noted, citing a US Army official who revealed the 2007 incident last February.