By now, most readers have probably heard about the numerous 4G and 5G network security vulnerabilities found in Chinese manufacturer Huawei’s product line. ZTE’s routers have also been determined to be insecure. These are prime examples of supply chain attack vectors.
On Friday 11/22/2019, the United States Federal Communications Commission finalized it’s decision to ban Huawei and ZTE equipment from any future telco projects paid for the FCC’s Universal Service Fund.
EU countries have followed suit, backing a tough line on 5G providers on the same day. The FCC is also taking comments on another plan which would remove Huawei and ZTE equipment from networks that already exist.
Many audiovisual integrators, manufacturers, and end clients are probably thinking, “So what? This is about 4G and 5G networks, it doesn’t affect my AV business, right?” Well, the answer might surprise you.
Supply chain attack vectors & pro AV
The headlines about Huawei and ZTE are just the first examples of a broader growing concern about supply chain attack vectors.
Don’t think your AV system will be targeted? Just consider how many of today’s AV devices have network jacks on them.
There could be scenarios in which malware could implanted into legitimate software updates, either the software production level, or by a third-party vendor.
Source code could be added to firmware updates to take advantage of zero-day vulnerabilities and back doors in chips.
Don’t think your AV system will be targeted? Just consider how many of today’s AV devices have network jacks on them.
In October 2018, General James Mattis (Secretary of Defense at the time) issued a memo creating the Protecting Critical Technology Task Force (PCTTF) to “ensure the integrity and security of our classified information, controlled unclassified information, and key data.”
In the same month, the National Insider Threat Task Force (NITTF), run by the FBI and the Office of the Director of National Intelligence, released the Insider Threat Program Maturity Framework, which among other things, mentions “technology use and risks”.
But this still doesn’t apply to you, right?
Soon after, in November 2018, the Department of Homeland Security hosted the inaugural meeting of the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, a public-private partnership.
Members include cybersecurity giants like FireEye and Palo Alto Networks, telecom providers like AT&T and Sprint, hardware providers like Samsung and Cisco (hmmm), as well as the National Association of Broadcasters (NAB)… doesn’t NAB host a big trade show with large format displays and cameras? And you still think the supply chain worries don’t apply to your AV business?
Related: AV Integrators Beware: 5G Has Some Security Flaws
In July 2019, U.S. Senators Mike Crapo and Mark Warner introduced a bill named S.2316 – Manufacturing, Investment, and Controls Review for Computer Hardware, Intellectual Property, and Supply (MICROCHIPS) Act of 2019.
If the MICROCHIPS Act legislation passes, it would create a new government body called the National Supply Chain Intelligence Center tasked with reviewing equipment and technologies used by government agencies and US military.
But you don’t sell to government agencies or military bases, right? And this is only pending legislation, and there’s no way of enforcing it, right?
Word on the AV Street is that some manufacturers and products are already being informally blacklisted by certain military and government agencies because they are worried about their Chinese supply chain.
This fear is only going to get bigger, and sooner or later, large corporations and universities are also going to demand more information about supply chains of AV manufacturers.
