U.S. intelligence officials plan to provide information including classified supply chain threat reports to companies about the risks of hacking and other crimes tied to the supplies and services they buy. The Office of the Director of National Intelligence’s National Counterintelligence and Security Center made an announcement and released a video last week that highlights the threats foreign entities pose to the private sector’s supply chain and to the public sector organizations that use goods and services from the private sector.
The video raises awareness of increased risk to supply chains that stems from what NCSC calls a “growing dependence” on globally sourced commercial information and technologies for mission-critical systems and services. The risks are passed to end users through products and services that may contain defective, counterfeit or otherwise tainted components—such as compromised telecommunications equipment. Those threats may come from China, Russia and other governments, as well as criminals, hackers and disgruntled employees who want to steal sensitive information or disrupt operations, NCSC says.
“You’d be shocked to find out how many people really don’t know where their stuff comes from,” Bill Evanina, director of NCSC, says in a Bloomberg article. “The supply chain threat is one that’s the least talked about but is the easiest to manipulate for all aspects of our daily lives.”
The new threat reports, which may start going out in about two months, will provide intelligence and context behind hacking attacks and other activity, such as whether another country is responsible and the likely motivation, according to NCSC. It’s particularly worth noting, the agency explains, that the Chinese government has previously stolen secrets from U.S. agencies and companies to gain a competitive advantage, while the Russian government wants to deliver defective parts into U.S. supply chains to cause disruptions to military capabilities.
“Often, we get lost in putting the fire out,” Evanina says. “At the end of the day, to stop the fire we have to find out who’s lighting it.”
Companies can take many steps to help secure their supply chains, such as doing simple online research into businesses they plan to buy from, working with the FBI and Homeland Security Department and adding security requirements to contracts, NCSC explains. The agency’s video also recommends that acquisition and procurement personnel need to be a full part of a company’s security efforts.
“Know where your stuff is coming from,” Evanina says in the Bloomberg article. “You might have the best software and cybersecurity programs, but if you don’t have the same due diligence and understanding of the threat for the people who buy the systems that run your buildings and facilities, you’re running the risk of potential compromise.”
The U.S. government has previously accused China and Russia of cyber attacks, however interest in critical infrastructure security has certainly surged since Ukraine authorities blamed a power outage on a cyber attack from Russia. What’s more, the Department of Homeland Security (DHS) and the FBI have previously announced that they have seen an increasing exploitation of business networks and servers by disgruntled and/or former employees. Some of these cases have resulted in significant FBI investigations in which individuals used their access to destroy data, steal proprietary software, obtain customer information, purchase unauthorized goods and services using customer accounts, and gain a competitive edge at a new company. The cost to businesses for these attacks by disgruntled or former employees ranges from $5,000 to $3 million per attack, according to the FBI.
What are your thoughts about supply chain vulnerabilities? Is your organization concerned about counterfeit or defective parts purposefully being introduced into the supply chain? Secondly, does your organization have a plan to prevent former employees from exploiting business networks and servers?