President Trump astounded many in Washington on Sunday by vowing to rescue ZTE, the Chinese manufacturer whose mobile phones are viewed as a security threat by the U.S. intelligence community. America’s own spies have been warning that China and other potential adversaries might seek to weaken U.S. security through the electronic goods and services it buys.
“The most critical CI threats cut across these threat actors: influence operations, critical infrastructure, supply chain, and traditional as well as economic espionage. Regional actors such as Iran and North Korea, and nonstate actors such as terrorist groups, transnational criminal organizations, and hackers/hacktivists are growing in intent and capability,” William Evanina, who leads the National Counterintelligence Security Center, told the Senate Intelligence Committee on Tuesday. “For example, a growing set of threat actors are now capable of using cyber operations to remotely access traditional intelligence targets, as well as a broader set of U.S. targets including critical infrastructure and supply chain, often without attribution.”
Evanina declined to slam Trump’s decision on ZTE, but said, “I will say that the intelligence community is on the record about the threat posed by Chinese telecom.” Asked whether he would use a ZTE phone, Evanina answered, “I would not.”
The government’s efforts to better manage security risks to the government and military supply chain go back a decade. They include a 2015 best-practices report from the National Institute of Standards and Technology, and a requirement in the 2018 defense authorization act that the Pentagon develop a better process for supply-chain security.
But the risk is growing and there’s no simple solution, according to Joyce Corell, the assistant director for supply chain at the National Counterintelligence and Security Center, or NCSC.
“The software supply chain is clearly being used as a threat vector,” Corell said.
“Both of these back-door attacks on legitimate applications point to China-nexus threat actors, and used the technique of compiling malware directly into the compromised software,” the company notes. “Similarities between these attacks, such as command-and-control tactics and code overlaps, suggest they are connected to the same threat actor.”
One reason such attacks will grow more common: the government’s renewed emphasis on more obvious forms of cybersecurity, such as protection against remote penetration attacks and phishing attacks, which Corell referred to as “perimeter” attacks. Now that the low-hanging fruit is disappearing, adversaries are focusing their attacks on the supply chain. “How do you get around a hardened perimeter? You subvert a supply chain,” she said.
Corell said reducing supply chain risk is more difficult and complicated than just sending buggy pieces of hardware or software to the IT department. Because supply chain management touches acquisition and other aspects of management and business, organizations need a team of people across disciplines to tackle the risk, she said.
“We’re seeing an evolution in what I call a need for integrated risk reduction, where you bring together all the lines of business that need to be at the table. You can no longer push your risk decision down to your [chief security officer] or just leave it in the hands of the [chief technical officer]. You need to know what your enterprise risk is. And you need to address all types of risk from an integrated risk reduction perspective,” she said. That might include experts in trade law federal acquisition and government authorities. “Sometimes you need an expert in every one of those to help you assemble a risk-strategy approach.”
Most important, managing the future of supply chain risk is not something you do once and then you are you done. Like a good health regimine, it requires lots of consistent attention and maintenance.