We’ve written a lot about the threat posed by nation-state sponsored hackers to U.S. corporations and the economy. So-called “advanced persistent threat” (or APT) style attacks against corporate and government networks have been linked to the theft of sensitive data and intellectual property.
Difficult as it is to stop APT attacks against networks, it’s even more challenging to identify threats one-step removed from direct attacks. Lately, attention has shifted to vulnerabilities in the supply chain of companies selling networking gear, servers and other critical IT components. Concerns about corrupted products from foreign suppliers were enough to prompt the U.S. Congress to hold hearings focused on the threat posed to government agencies by Chinese networking equipment makers like Huawei and ZTE.
In this week’s podcast, The Security Ledger talks with Jerry Caponera, of Cyberpoint International. Cyberpoint is a Baltimore, Maryland firm that sells Prescient, a service that verifies where true vulnerabilities exist in foreign-made products. It then creates licensed, Prescient-branded versions of foreign products with security assurances. The company’s motto is “Made overseas, secured in America” and they cast their model as a necessary “third way” approach to overcoming concerns about supply chain risk.
Jerry told me that his company sees “lots of weird stuff” when analyzing foreign products – though much of it falls under the banner of “poor design” or “inelegant coding” rather than malicious intent. The companies that Cyberpoint works with are mostly concerned with making sure that the critical parts of their businesses are running in a secure fashion. “There are vulnerabilities across every product we use in IT. Some are poor development. Some are poor QA. Some are malicious. You can’t tell by looking. We need to realize that there are vulnerabilities in products and deal with them – either way.”
Check out the full podcast by clicking on the links below.