Confirming years of warnings from government and private security experts, a top Homeland Security official has acknowledged that computer hardware and software is already being imported to the United States preloaded with spyware and security-sabotaging components.
The remarks by Greg Schaffer, the Department of Homeland Security's acting deputy undersecretary for national protection and programs, came Thursday during a tense exchange at a hearing of the House Oversight and Government Reform Committee. The panel is considering an Obama administration proposal to tighten monitoring and controls on computer equipment imported for critical government and communications infrastructure.
Schaffer didn't say whether the equipment he was talking about included end-user consumer tech like retail laptops, DVDs and media players. If so, his comments, first reported Friday morning by Fast Company, would be the first time the United States has publicly confirmed that foreign consumer technology is arriving in the country already loaded with nasty bugs like key-logging software, botnet components and even software designed to defeat security programs installed on the same machine.
DHS did not respond to requests to clarify Schaffer's remarks.
Schaffer made the statement under questioning from Rep. Jason Chaffetz, R-Utah, who noted that "the issue of software infrastructure (and) hardware built overseas with items embedded in them already by the time they get to the United States ... poses, obviously, security and intellectual property risks."
"A, is this happening, Mr. Schaffer? And, B, what are we going to do to fight back against this?" he asked.
Schaffer began his answer by stating how important the issue is to President Barack Obama. But Chaffetz cut him off and, at Schaffer's request, broadly restated the question to extend it beyond government infrastructure:
"Are you aware of any component software (or) hardware coming to the United States of America that already have security risks embedded into those components?"
Schaffer paused for about 10 seconds before replying:
"I am aware that there have been instances where that has happened."
You can watch the exchange here, beginning at 51:47: