Nation state actors are increasingly targeting cyber vulnerabilities of supply chains but the private sector is also waking up to the threat and taking steps to protect their supply chains, a senior intelligence official said on Tuesday.
Foreign countries are “being less inhibited and being more aggressive to attacking our supply chain,” William “Bill” Evanina, director of the National Counterintelligence and Security Center, said at a government symposium hosted by the cyber security company Symantec [SYMC]. He also said that, “I think private industry is now making some supply chain threat mitigation a big part of their corporate strategy, which wasn’t the case three to five years ago.”
In July, Evanina’s office for the first time released an unclassified version of its Foreign Economic Espionage in Cyberspace report, which warned that software supply chains are vulnerable to cyber security threats, particularly from nation state actors (Defense Daily, July 27). The report also warned that laws in countries such as China and Russia pose threats to U.S. technology companies, and that technology firms in adversarial nations such as China and Russia also pose threats to U.S. critical infrastructure.
Evanina said the release of the economic espionage report was an opportunity for U.S. companies to see the threat to their software supply chains for what it is. The intelligence community has obtained this threat data for years “but [we] really haven’t done a good job of exploiting that and getting it to the folks that are being penetrated to the supply chain,” he said during a media roundtable. “And for the first time ever we see the trend change to where not only do we have our adversaries penetrating our hardware, but it was the first time we were able to quantitatively say, ‘you know there’s a software quotient here, there’s an ability and a want and a will of our adversaries to hit our software before it gets implanted into things we make.’”
Evanina said at the outset of the roundtable that he and his boss, Director of National Intelligence Dan Coats, are trying to be more proactive and transparent with the media regarding cyber security threats.
The “media is part of the solution, whatever the solution is,” he said.
To thwart these types of supply chain threats, Evanina said that companies need to know their suppliers.
“We do not do a good job of understanding who supplies us with what,” he said. This means knowing every tier of supplier for a product or system, and making the first tier accountable, who in turn will make the second tier accountable, and so on down the supply chain, he said.
Whoever is servicing a product during its lifespan also needs to be understood and accountable as well, Evanina said.
“You need to ensure that your service contracts are being provided by trusted vendors and not someone who has a penetration or affiliation with a foreign nation state intelligence service,” Evanina said.
Evanina said that the economic impacts from supply chain compromises are also beginning to be realized in ways they weren’t 10 years ago, pointing to the NotPetya cyber-attack last year that cost Dutch shipping giant Maersk Group and U.S. shipping firm FedEx [FDX] at least $300 million each.
During his presentation at the symposium, Evanina said that organizations need to treat cyber security more holistically, so that basically it is a mission and is part of everyone’s jobs.
Evanina also said that federal agencies that he deals with tell him they are not receiving up to date threat information “as effectively or as efficiently as we should.” He added that’s the government’s fault and responsibility to fix. The threat data also has to be such that it is “acted upon.”
In September, Evanina said he was in Detroit meeting with Automotive Information Sharing and Analysis Center to discuss the importance of the automobile industry’s supply chains amid the development of autonomous vehicles. He said the Chinese, Iranians and North Koreans are stealing and attempting to steal autonomous vehicle technology.
“We see that every day,” he said, adding the automakers are making efforts to protect themselves.
Still, he cautioned about the potential for ransomware attacks on future fleets of unmanned vehicles causing gridlock.