The U.S. National Counterintelligence and Security Center will soon provide classified supply chain threat reports to critical U.S. telecommunications, energy and financial businesses.
The effort is designed to reduce threats against a vast private supply chain of equipment and services that could result in the theft of vital data or disrupt operations in critical systems. Supply chain threats are not well understood by security professionals, yet the supply chain is relatively easy to manipulate by foreign governments like Russia and China, as well as criminal gangs, hackers and even disgruntled workers, according to NCSC officials.
The Office of the Director of National Intelligence described the threats to private sector supply chains in a press release on Thursday and released a video on supply chain risk management.
The video urges companies to include a member of the company’s acquisition division in planning sessions to defend against cyberattacks. It also urges companies to know their suppliers and whether they are associated with adversaries of the U.S,. and from which vendors those companies purchase parts.
The NCSC, in the statement, said it will provide “threat briefings to government partners and eventually to industry.” NCSC officials could not be reached for more details, but the statement referred to a Bloomberg interview that said the threat reports would begin in about two months through secure channels and would include the context behind hacking attacks, such as whether another country is responsible.
Threat reports against a company’s supply chain will likely be welcomed by many U.S. companies, considering the variety and number of attacks that can occur. One company, Verizon, said on Friday it has long recognized the importance of keeping its supply chain reliable and secure.
“We devote considerable attention to that effort,” said David Samsung, a Verizon spokesman, via email. “We welcome the government’s efforts to share timely and actionable information about threats to supply chain security.”
Duke Energy’s Managing Director of Cybersecurity Hafid Elabdellaoui said the utility welcomes the “opportunity for intelligence sharing, especially when the information comes from government agencies who have extensive knowledge of threats and potential threats within U.S. borders and around the world.”
Gartner analyst Avivah Litan called the government’s plan to share supply-chain threat reports “a really important initiative.”
“This is one area that the federal government pays attention to while private industry generally does not,” she added. “Many of the threats to the U.S. supply chain are perpetrated by nation-states like China and Russia who use weaknesses and vulnerabilities in the supply chain to infiltrate U.S. infrastructure and systems.”
She said private companies typically focus on preventing and detecting known attacks that started long ago, but not on pre-empting them. “It’s a very good thing for U.S. intelligence agencies to bring information that can pre-empt attacks. This is probably one of the most useful activities our government can engage in to help protect U.S. infrastructure.”
Litan said only a handful of security companies focus on pre-empting attacks by finding criminal perpetrators and then uncovering how they act well before they strike. “This is the first initiative I have heard of that specifically targets U.S. supply chains across the board with the same intent,” she added.
U.S. intelligence officials are likely using data-mining tools to discover threats against supply chains in the darknet. By contrast, most threat intelligence companies don’t look for perpetrators and instead look for key words or IP addresses, malware or URLs that provide signatures, or they contribute to blacklists that can help private companies prevent attacks already started in another industry or another part of the world.
U.S. intelligence officers are also likely to use electronic surveillance techniques to focus on suspicious groups, then monitor what individuals in the groups are chatting, emailing or talking about, Litan said. “U.S. intelligence is more focused on the people and finding out the bad guys and government actors and accomplices, then seeing what they talk about and the traces they leave behind. They might be talking about infiltrating routers or polluting a manufacturing process.”