A top Homeland Security Official admitted to Congress that electronics and software sold in the United States are sometimes preloaded with spyware, malware, and other nasty security-compromising components by unknown foreign parties.
Greg Schaffer, DHS assistant secretary for cybersecurity and communications, testified to the House Oversight and Government Reform Committee last week saying that Homeland Security and the White House have been aware of the threat for quite some time.
Schaffer admitted he is aware of instances when foreign-made technology was built with embedded security risks but did not elaborate on what kind of equipment DHS has encountered. He also pointed out that overseas components are found in many domestically manufactured electronics.
Fast Company's Neal Ungerleider, who first reported the news, uncovered a few paragraphs in the White House's Cyberspace Policy Review (PDF) that he thinks shows the administration is aware of problems with imported technology:
"The emergence of new centers for manufacturing, design, and research across the globe raises concerns about the potential for easier subversion of computers and networks through subtle hardware or software manipulations. Counterfeit products have created the most visible supply problems, but few documented examples exist of unambiguous, deliberate subversions.
A broad, holistic approach to risk management is required rather than a wholesale condemnation of foreign products and services. The challenge with supply chain attacks is that a sophisticated adversary might narrowly focus on particular systems and make manipulation virtually impossible to discover. Foreign manufacturing does present easier opportunities for nation-state adversaries to subvert products; however, the same goals could be achieved through the recruitment of key insiders or other espionage activities."
Based on the review, which was written several months ago, the most compromised technology is counterfeit devices but it's possible mainstream products could be infected. This is particularly troubling since DHS declined to specify what kind of technology it found with embedded malware.
MSNBC's Alex Johnson found a YouTube video of the hearing; you can watch the exchange starting at 51:47.