At a hearing of the House Committee on Oversight and Government reform, Chairman Darrell Issa, R-Calif., asked witnesses about the threat posed by "software infrastructure, hardware, [and] other things that are built overseas that come to the United States with items that are embedded already in them by the time they get here to the United States."
"Our vulnerability is not just because of enemies well known, but can often be because of enemies unknown, enemies who simply have a grudge against society," Issa said in his opening remarks. "It is today possible to be a great warrior with nothing but your slippers in your bedroom and a desire to bring down some aspect of public or private infrastructure related to the Internet. …
"Not since the end of World War II has America seen a threat so great looming for so long."
Ranking member Rep. Elijah Cummings, D-Md., noted U.S. infrastructure, "including power distribution, water supply, telecommunications and emergency services, have become increasingly dependent on computerized information systems to manage their operations and to process, maintain and report essential information."
Greg Schaffer, acting deputy assistant secretary of the National Protection and Programs Directorate of the U.S. Department of Homeland Security, told the committee it is clear that "supply chain risk management is an issue that the administration is focused on."
"This is one of the most complicated and difficult challenges that we have. The range of issues goes to the fact that there are foreign components in many U.S. manufactured devices," Schaffer said, adding it will take a "whole-of-government" effort to combat the new threats.
"It's going to take a whole-of-society effort, right down to individuals, who need to apply the patches than the virus updates to their machines.
"The ecosystem was built in a way that allowed us to take advantage of moving very fast, but the security pieces have been … bolted on after the fact. We're trying now to fix those issues, but I do think it's going to require us to build better perimeters, apply those patches everywhere on all of the systems, update those systems to the best technology, and -- and do this vigilantly in all cases," Schaffer said.