NSA Back-Door Exploits Present Hurdles, Opportunities For U.S. Companies Selling Overseas
U.S.-based storage and other systems vendors and solution providers could face new hurdles selling to overseas customers based on new allegations that the National Security Agency inserted malware into components and intercepted IT shipments.
However, according to a former solution provider charged with building his company's overseas sales, those hurdles could be mitigated depending on where the systems were assembled and the level of demand for them.
Meanwhile, a security solution provider said, the NSA's possible tinkering could actually be good for businesses that can provide help in mitigating issues related to the spy agency's malware programs.
[Related: Dell, Cisco 'Deeply Concerned' Over NSA Backdoor Exploit Allegations ]
The NSA has been installing back doors in IT storage and networking products as a way to tap into the data accessed by those components, according to Germany-based Der Spiegel.
Those back doors include malware installed on PCs or servers that are "invisible" to anti-virus and other security software, as well as on hard drives from vendors including Seagate, Western Digital, Samsung and Maxtor, Der Spiegel wrote. Seagate in 2006 acquired Maxtor.
The NSA also has the ability to intercept shipments of new computer systems or accessories, Der Spiegel reported in a separate story.
According to that story, the NSA's Office of Tailored Access Operations, or TAO, can divert IT shipments to its own secret workshops.
"The NSA calls this method interdiction. At these so-called 'load stations,' agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide back door access for the intelligence agencies. All subsequent steps can then be conducted from the comfort of a remote computer," Der Spiegel wrote.
Seagate and Samsung were unable to respond for comments on the Der Spiegel report. Western Digital emailed a statement to CRN that read: "Western Digital has no knowledge of, nor has it participated in the development of technology by government entities that create 'implants' on Western Digital hard drives, as Der Spiegel described."
For U.S.-based vendors and solution providers looking to tap overseas markets, the reports present new hurdles as international customers will be increasingly concerned about how secure their IT equipment and infrastructures are, said John DeRocker, who prior to September was senior vice president of worldwide channels for Houston-based Computex Technologies where he managed that company's international vendor and distribution partners and engaged with new manufacturing partners.
NEXT: Security Vs. Assembly Location Vs. Demand
A big variable is the location where the systems are assembled, as well as how high the demand for those systems is, DeRocker said.
Servers or PCs assembled in the U.S. and shipped overseas could be subject to interdiction by the NSA, while those assembled in other countries for sale overseas would be less likely to be intercepted, he said. But in either case, customers will increasingly scrutinize their purchases of U.S. IT gear.
"The demand is too great for non-U.S. entities to not purchase from U.S. companies," he said. "But you'll see them impose demands that products be assembled in-country, or in-region. They will want the best price, but know where they are assembled. If a German company is buying IBM servers, they'll want them to be manufactured in the European Union, and not in Raleigh, [N.C.]"
Such concerns also impact products assembled in local countries with even a small amount of components imported from the U.S., DeRocker said.
"If a German entity says its wants [Hewlett-Packard] systems, but they have to be configured in the European Union, HP might respond by saying that 80 percent of the components can be sourced locally, but the rest has to come from the U.S.," he said. "That could alienate certain manufacturers and the solution providers, which lead with those manufacturers."
Buying U.S. products from non-U.S. assembly partners eliminates the fear, or at least part of the fear, of potential tainting by the NSA, DeRocker said.
But at the same time, it also increases potential competition for solution providers.
"You will get into more competition with companies inside the customers' country," he said. "In the past, we may have had one or two competitors in Germany. Now it may be five or six. So this is more of a hurdle."
Concerns will likely be lower for products assembled outside the U.S., such as Lenovo servers and PCs, which are assembled and shipped from China, or EMC storage systems, which are built in Dublin, Ireland, for European customers, DeRocker said.
"I find it hard to believe a system manufactured in Belgium for shipment to Germany could be intercepted," he said. "But we don't know that for sure."
NEXT: Opportunities From The Spy Scandal? Why Not?
As for allegations that hard drives are tainted with NSA-installed malware, that becomes an issue for which there are few answers, DeRocker said.
"If malware is inserted in a drive before it leaves the manufacturer, or on route to the U.S., there's no way around it in the U.S. market," DeRocker said. "If a company like Seagate manufactures its disk drives overseas and ships to non-U.S. customers, I'm not sure how the malware could be inserted unless someone at the manufacturer helped."
Andrew Plato, president of Anitian Enterprise Security, an Oregon-based solution provider, said that, while his European customer base will likely be hesitant to use technology that's been linked to the NSA, his U.S. customers don't share that same mentality and aren't as quick to walk away from their existing technology investments because of an NSA report.
"If you think of a place that’s made a huge investment in Cisco for their infrastructure, they aren't going to throw it away because of an NSA spying [report]," Plato said.
Plato also noted that the uptick in NSA leaks and surveillance reports this year has actually been beneficial to his business, as more and more companies call on solution providers to perform what he called "security validation services."
"Companies are starting to hire us to come in and validate the integrity of their technology," Plato said.
Kristin Bent contributed to this article.
PUBLISHED DEC. 30, 2013