The National Counterintelligence and Security Center launched National Supply Chain Integrity Month with its federal partners to raise awareness about growing threats to the supply chains of the private sector and U.S. Government and to provide resources to help mitigate these risks, the Office of the Director of National Intelligence announced in a release.
“Foreign intelligence entities and other adversaries are increasingly exploiting supply chain vulnerabilities to steal America’s intellectual property, corrupt our software, and surveil our critical infrastructure,” said NCSC Director William R. Evanina.
“Bypassing our security perimeters, they’re infiltrating our trusted suppliers to target equipment, systems, and information used every day by the government, businesses, and individuals. The cost to our nation comes not only in in lost U.S. innovation, jobs, and economic advantage, but also in reduced U.S. military readiness,” he added.
Throughout April, the NCSC is partnering with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Defense Department’s Center for the Development of Security Excellence (CDSE) to arm U.S. government and industry stakeholders with information about supply chain threats and risk mitigation.
NCSC has posted documents, videos, and other resources on a new supply chain page on its website at: https://www.dni.gov/index.php/ncsc-what-we-do/ncsc-supply-chain-threats. The site also site provides information about threats and best practices, the recently-enacted SECURE Technology Act, and the creation of the Federal Acquisition Security Council. The NCSC site also contains links to supply chain resources at DHS’ CISA, DoD’s CDSE, and the United Kingdom’s National Cyber Security Centre.
The NCSC illustrated the need for securing the supply chain by pointing to recent supply chain attacks from China and Russia which underscore this growing threat:
-- In December 2018, “APT10” cyber actors tied to China’s intelligence service were indicted by the U.S. for hacking into managed service providers, which provide cloud and IT services to businesses and governments worldwide, to steal intellectual property and confidential business data from the providers’ clients on a massive scale. The victims were major companies in a dozen countries, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the U.A.E., the U.K., and the United States.
-- A January 2019 U.S. indictment against Huawei alleged that, after entering into an agreement in 2010 to supply its wireless phones to T-Mobile, Huawei’s U.S. employees began stealing data on T-Mobile’s phone-testing robot so Huawei engineers in China could try to replicate it. The charges allege Huawei even offered monthly bonuses to its employees based on the value of data they stole from competitors around the globe.
-- In March 2018, the FBI and DHS issued an alert about an ongoing intrusion campaign by Russian government cyber actors to identify and target U.S. energy sector networks. Instead of attackinging the energy utilities head-on, the Russians infiltrated their trusted suppliers to gain access to and eventually surveil U.S. industrial control systems.
A center within the Office of the Director of National Intelligence, the NCSC is the nation’s premier source for counterintelligence and security expertise and a trusted mission partner in protecting America against foreign and other adversarial threats.