There was a story last week that got a lot of press about how the FBI discovered that the military was using a ton of counterfeit technology equipment
, including thousands of fake Cisco routers. Dan Wallach has an excellent writeup looking at the security implications of what happened
. From the description, it certainly doesn't sound like any of the equipment was found to include any kind of questionable technology for spying, but the point is that it would have been easy enough if someone had wanted to do so. Basically, the background is that while the government only buys equipment from approved vendors, those vendors can subcontract out the actual tech purchases to anyone. That leads to situations where (no joke) one subcontractor purchased a bunch of fake routers off of eBay and then resold them to the government via an authorized vendor. Or, try to follow the details of the case of the US Navy contracting with Lockheed Martin for equipment. Lockheed outsourced the deal to an unauthorized Cisco reseller as a subcontractor. That subcontractor turned to its own subcontractor who (yup, you guessed it) hired another subcontractor who shipped the equipment straight to the Navy. If you lost count, that's five layers deep, with most of those layers having no real oversight on what they did. You would think the government (and especially the military) would be a bit more careful in where it sourced its products from, but it certainly doesn't seem as though that's the case at all. Given all that, it's almost difficult to believe that compromised equipment hasn't
been sold to the government at some point.