A top Department of Homeland Security (DHS) official has admitted that software and hardware components imported to the U.S. are being deliberately preloaded with spyware and malware. The revelation was made in a testimony before the House Oversight and Government Reform Committee, where acting deputy undersecretary of the DHS National Protection and Programs Directorate Greg Schaffer told Rep. Jason Chaffetz that he's aware of instances when this has happened.
Schaffer was discussing an Obama-backed proposal to tighten monitoring on computer equipment imported for critical government and communications infrastructure. He didn't elaborate on where these components are coming from, or if consumer electronics like smartphones and laptops have been affected, but clearly supply chain risk management is an issue that the government is focused on amid a rise in cyber threats.
It's unclear how widespread the issue really is. There have been cases in the past where software and hardware components ship out of factories infected with malware, but they are generally considered unintentional, originated by an infected machine from within the company. What Schaffer suggests is an intentional and possibly targeted attack sponsored by foreign governments to get a hold of classified information.
While the threat of a contaminated supply chain may be real, poor security measures have also played a role in the recent wave of cyber attacks on large U.S. companies and government agencies.