US intelligence to help companies avert supply-chain hacking
By CHRIS STROHM | Bloomberg | Published: August 10, 2016
U.S. intelligence officials are planning to provide information including classified threat reports to companies about the risks of hacking and other crimes tied to the supplies and services they buy.
The effort is part of a new campaign by the National Counterintelligence and Security Center to raise awareness that vulnerable supply chains give China, Russia and other governments — as well as criminals, hackers and disgruntled employees — the opportunity to steal sensitive information or disrupt operations.
"You'd be shocked to find out how many people really don't know where their stuff comes from," William Evanina, the nation's top counterintelligence official and director of the center, said in an interview. "The supply chain threat is one that's the least talked about but is the easiest to manipulate for all aspects of our daily lives."
The program will be targeted toward U.S. telecommunications, energy and financial businesses, so government threat reports may soon be offered to companies such as Verizon Communications, Duke Energy and Bank of America.
It's a risk that last drew wide public attention when hackers broke into Target Corp.'s payment network in 2013 by stealing login credentials from a company that provided heating and air conditioning services.
The intelligence campaign to secure supply chains, which begins on Thursday, is aimed not only at cyber attacks but also at hands-on crime, such as stealing or sabotaging sensitive equipment. The telecoms, energy and finance sectors are being prioritized because of their strategic and economic importance, Evanina said.
"If you can control those or manipulate those sectors, that's the bedrock of our capitalist supremacy around the world," Evanina said. His office, part of the Office of the Director of National Intelligence, also is developing a supply chain risk management blueprint for other government agencies, which could be used by companies too.
As part of the new effort, Evanina's office released a video emphasizing that acquisition and procurement personnel need to be a full part of a company's security efforts.
While businesses may welcome free government intelligence on supply-chain risks, the Pentagon has already learned that companies may resist taking full responsibility for the security of their supply chains.
The Defense Department was forced to delay a requirement that as many as 10,000 of its contractors document that they and their suppliers have systems to protect sensitive information.
The delay until Dec. 31, 2017 was granted after companies said they needed more time to comply, despite evidence that supply chains have been breached. A 2014 report from the Senate Armed Services Committee found that Chinese-backed hackers infiltrated the computer networks of airline, shipping and information technology companies responsible for transporting personnel and weapons for the U.S. military.
The new threat reports, which could start going out in about two months, will provide intelligence and context behind hacking attacks and other activity, such as whether another country is responsible and the likely motivation, Evanina said. The reports will be provided to industry through established, secure channels.
The Chinese government has stolen secrets from U.S. agencies and companies in order to gain a competitive advantage, while Russians want to deliver defective parts into U.S. supply chains that could cause disruptions to military capabilities, Evanina said.
"Oftentimes we get lost in putting the fire out," he said. "At the end of the day, to stop the fire we have to find out who's lighting it."
Companies can take many steps to help secure their supply chains, such as doing simple online research into businesses they plan to buy from, working with the FBI and Homeland Security Department, or adding security requirements to contracts, Evanina said.
"Know where your stuff is coming from," Evanina said. "You might have the best software and cybersecurity programs, but if you don't have the same due diligence and understanding of the threat for the people who buy the systems that run your buildings and facilities, you're running the risk of potential compromise."