Should We Be Concerned That The Military Will Use Counterfeit Routers Bought Off eBay?

from the it's-not-pretty dept

Wed, May 14th 2008 8:38am — Mike Masnick

There was a story last week that got a lot of press about how the FBI discovered that the military was using a ton of counterfeit technology equipment, including thousands of fake Cisco routers. Dan Wallach has an excellent writeup looking at the security implications of what happened. From the description, it certainly doesn't sound like any of the equipment was found to include any kind of questionable technology for spying, but the point is that it would have been easy enough if someone had wanted to do so. Basically, the background is that while the government only buys equipment from approved vendors, those vendors can subcontract out the actual tech purchases to anyone. That leads to situations where (no joke) one subcontractor purchased a bunch of fake routers off of eBay and then resold them to the government via an authorized vendor. Or, try to follow the details of the case of the US Navy contracting with Lockheed Martin for equipment. Lockheed outsourced the deal to an unauthorized Cisco reseller as a subcontractor. That subcontractor turned to its own subcontractor who (yup, you guessed it) hired another subcontractor who shipped the equipment straight to the Navy. If you lost count, that's five layers deep, with most of those layers having no real oversight on what they did. You would think the government (and especially the military) would be a bit more careful in where it sourced its products from, but it certainly doesn't seem as though that's the case at all. Given all that, it's almost difficult to believe that compromised equipment hasn't been sold to the government at some point.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: counterfeit, espionage, government procurement, military, routers, security, supply chain
Companies: cisco

18 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 14 May 2008 @ 9:19am

All encryption is decipherable.
All equipment is or can be potentially compromised.
All ur bases r belong 2 us.

Clearly this breakdown of government contractors needs to be investigated and addressed, but one large lesson learned is the value of end-to-end encryption. Cryptography that stays technologically ahead of attempts to thwart it.

I hate to say that "obscurity" is the best solution, but if we continue to shake up our encryption protocols, dilute sensitive information in a flood of nonsensical garbage and challenge authenticity ultimately end to end, the equipment in the middle of a cloud is less of an attractive target.
[ link to this | view in chronology ]
- Anonymous Coward, 14 May 2008 @ 10:28am
  
  Re:
  Nothing wrong with obscurity. Just as long as it is not the only solution. There is nothing wrong with it being a part of the solution. People act as though it's a bad word all together.
  [ link to this | view in chronology ]
ranon, 14 May 2008 @ 9:21am

If the military finds that the routers are substandard then they should return them, or get compensation from the FIRST contractor. The military has nothing to do with any sub contractors.

If they can enforce good quality with the first contractor, then they will get a good product, whatever the number of subcontractors.
[ link to this | view in chronology ]
Overcast, 14 May 2008 @ 9:22am

Let's trust everything to computers!! Bank Accounts, Energy Production, National Defense, Vote Tallies..

sounds like a bad Sci-Fi, huh?
[ link to this | view in chronology ]
Pedro Mack, 14 May 2008 @ 9:27am

Outside of the security implications, how great is it that the government is overpaying for these services/products by such a huge margin, that four levels of markups can be charged along the way, while still coming in at a price that the government is willing to pay?
[ link to this | view in chronology ]
Doc, 14 May 2008 @ 9:34am

So Bruce Willis was right "Live Free or Die Hard"... it's a Fire Sale!
[ link to this | view in chronology ]
Hank, 14 May 2008 @ 9:58am

worse yet.....
What's really scary is that most equipment and work on overseas bases is provided by the host country.

When I was stationed in Korea I worked with Top Secret, intelligence gathering, computer systems that were basically the key to any war time decision making.
When we needed new equipment or needed any infrastructure work done we had to use Korean contractors. We did an upgrade of the entire system about halfway through my tour and most of the work was done by Korean contractors. Tell me how much sense that makes. Do you honestly think that they haven't planted equipment that allows them to see what we are working on?

Our govt acts as though they are concerned with national security yet they give away the keys to kingdom all the time. This stuff going on with fake routers doesn't surprise me one bit.
[ link to this | view in chronology ]
- TW Burger, 14 May 2008 @ 10:30am
  
  Re: worse yet.....
  It's the same in Iraq and Afghanistan. Locals are hired for kitchen, laundry, and janatorial jobs and the MI officers stand around confused as to why motar attacks on the bases tend to be so accurate...
  
  In 'Ghan they hire a local contractor to wire the metal storage containers that were converted to apartments (don't ask) and the whole thing is done with one color of wire, cables running through puddles, and no grounding.
  
  I will not let a local anywhere near my communications networks and I buy the equipment myself and inspect each unit personally.
  [ link to this | view in chronology ]
  - NRK, 14 May 2008 @ 10:53am
    
    Re: Re: worse yet.....
    Your are the exception... most Gov agencies hire it done, and if it works, and sometimes when it doesn't, writes a check. Then the equipment is out-of-site out-of-mind until there is a problem and then it is too late to go back to the contractor.
    
    We had the same problem in Viet Nahm hiring locals who would pace off the size of the compound and any high-value targets. Next day the mortars would come in with pin-point accuracy.
    
    To have integrity, the military need to do it all, that is why we have cooks, bakeries, laundry units, etc. in the military, and the soldiers have to take their turn at gurad, shit burning, etc.
    
    Some day we will study the lessons learned from pat conflicts and apply them to current one...
    
    nrk
    [ link to this | view in chronology ]
- chris (profile), 14 May 2008 @ 11:17am
  
  Re: worse yet.....
  maybe things have relaxed a bit since i was in the service in the 90's, but when it comes to classified materials the equipment that is cleared for classified is clearly marked and the equipment that is not cleared for classified material is also clearly marked. there are separate networks (data and voice) for classified material.
  
  information about the systems that handle classifed material (hardware vendors, versions of unix, etc.) is also classified, so if the phony brand name of the equipment was leaked, chances are it was for non-classified (though possibly still sensitive) material.
  [ link to this | view in chronology ]
- Jake, 14 May 2008 @ 11:31am
  
  Re: worse yet.....
  Using the same suppliers and contractors as the South Korean government would be the best bet in that situation; if their security's been compromised by agents from the North you're screwed anyway.
  [ link to this | view in chronology ]
N1ck0, 14 May 2008 @ 10:08am

Registration
Whats also pretty bad is Cisco has a pretty good registration system for their equipment. And like most higher end network equipment, Cisco maintains records of what vendor has sold what S/Ns. Yes in some circumstances registration is a bit cumbersome, but in most cases equipment needs to be registered with the inventory system anyway...its not that much of a stretch for supply officers to query the databases and confirm IDs with OEM on a routine basis.
[ link to this | view in chronology ]
Davey, 14 May 2008 @ 11:22am

Been there. Called the cops.
My IT manager here at *.gov (where we have substantial security concerns) has been sold counterfeit equipment. However, we bought it directly and saw it for what it was. A call to the U.S. Marshall's office straightened everything right out. IMHO, Federal acquisition regulations are partially responsible for taking the buying decisions out of the hands of people who might know what they're getting, and putting it in the hands of folks that want low bid. Procurement agents are notorious for using their own (uninformed) judgement when buying technology (e.g. "This item is NOT 'or equal' dammit!")
[ link to this | view in chronology ]
- Technical Purchasing Manager, 14 May 2008 @ 1:36pm
  
  Re: Been there. Called the cops.
  Brilliant Davey. Thanks, I needed a good laugh today.
  
  Definition:e.g = for example: as an example; "take ribbon
  snakes, for example"
  
  Your e.g. is an opinion, not an example. It contains hostile emphasis and swearing in just seven words. Good thing your opinion is humble. Keep it that way.
  [ link to this | view in chronology ]
  - Nasch, 15 May 2008 @ 12:00pm
    
    Re: Re: Been there. Called the cops.
    Lighten up, dude. He was giving an example of something that might be said after purchasing agents make a bad purchase. If someone's phrasing on a blog post isn't perfect, you don't have to point it out every time if you can still tell what he's trying to say.
    [ link to this | view in chronology ]
  - Nasch, 15 May 2008 @ 12:02pm
    
    Re: Re: Been there. Called the cops.
    I just looked at your name, Technical Purchasing Manager, and now I realize you made that post not just because you're neurotically pedantic (though you may be), but because you were feeling attacked. In other words, this is probably based on emotion and not reason, so never mind.
    [ link to this | view in chronology ]
Anonymous Coward, 14 May 2008 @ 5:20pm

PHB: How do you reboot this thing again ?
Dlbrt: Like I told you, turn it upside down and shake,
[ link to this | view in chronology ]
Rekrul, 14 May 2008 @ 7:49pm

They probably got a really good price on the counterfeit routers. Maybe they only paid $200,000 each for them instead of $500,000 each...
[ link to this | view in chronology ]