The new NRMC initiative includes an Information Communications Technology (ICT) Supply Chain Task Force, which will focus specifically on utilizing government and private sector talent to detect security weaknesses in compromised software that is impacting a number of critical sectors.
Bottom Line: The government and private sectors have been grappling with how to detect and address infiltrations of software including software that is used to protect the country’s critical infrastructure, against the backdrop of a marked increase in the number of software infiltrations impacting both the government and the private sector.
Background: There have been a number of initiatives across government to deal with the problem recently, ranging from Congress, where the House Homeland Security Committee recently approved the Securing the Homeland Security Supply Chain Act (HR 6430), to the Pentagon’s recent establishment of a ‘do not buy list’, that blocks the DoD from doing business with vendors that use software code originating from Russia or China. DoD officials admit it’s often difficult to identify vendors who use Russia or China-based code, primarily because of the use of holding companies to mask a particular vendors true origin.
Chris Inglis, Former Deputy Director, NSA
"Supply chains are increasingly important for at least two reasons. First, as vendors and operators harden critical system components at the leading edge of service delivery, adversaries are increasingly turning to supply chain exploitation to attack these systems upstream of the main cyber defenses. Second, the continued interleave of embedded sensors (the so-called things in the Internet of Things) makes it harder to create and defend hard boundaries between critical and noncritical components, increasing the dependency of overall system security on the array of subsystems that feed it critical sensing and data services."
Rick Ledgett, Former Deputy Director, NSA
"Supply chain vulnerabilities are a significant risk in national security systems or for those who provide information and products that relate to defense, communications, security, and, increasingly, financial systems. Vulnerabilities can be in software, hardware, and the provision of services like maintenance, operational and technical support, and managed security services."
A report issued last week by the National Counterintelligence and Security Center (NCSC) highlighted supply chain vulnerability as a top issue in need of attention. The Foreign Economic Espionage Report notes a marked increase in the number of infiltrations occurring via supply chain vulnerabilities in 2017.
“Last year represented a watershed in the reporting of software supply chain operations. In 2017, seven significant events were reported in the public domain compared to only four between 2014 and 2016,” according to the report. “As the number of events grows, so too are the potential impacts. Hackers are clearly targeting software supply chains to achieve a range of potential effects to include cyber espionage, organizational disruption, or demonstrable financial impact:
- Floxif infected 2.2. million worldwide CCleaner customers with a backdoor. The hackers specifically targeted 18 companies and infected 40 computers to conduct espionage to gain access to Samsung, Sony, Asus, Intel, VMWare, O2, Singtel, Gauselmann, Dyn, Chunghwa and Fujitsu.
- Hackers corrupted software distributed by the South Korea-based firm Netsarang, which sells enterprise and network management tools. The backdoor enabled downloading of further malware or theft of information from hundreds of companies in energy, financial services, manufacturing, pharmaceuticals telecommunications and transportation industries.
- A tweaked version of M.E. Doc was infected with a backdoor to permit the delivery of software from the Ukrainian accounting firm a destructive payload disguised as ransomware. This attack, which was attributed to Russia, paralyzed networks worldwide, shutting down or affecting operations of banks, companies, transportation, and utilities. The cost of this attack to FedEx and Maersk was approximately $300 million each.
- A malware operation dubbed Kingslayer, targeted system administrator accounts associated with U.S. firms to steal credentials in order to breach the system and replace the legitimate application and updates with a malware version containing an embedded backdoor. Although it is not known which and how many firms were ultimately infected, at least one U.S. defense contractor was targeted and compromised.”
Chris Inglis, Former Deputy Director, NSA
"Supply chains are challenging to defend for several reasons. First, supply chains are seldom stable or dedicated to one end user. The mix of subsystems, software and even data that supplies a given critical system varies over time and is often interleaved in servicing other customers who may have differing requirements. Second, even if it were possible to bear the expense and effort to stabilize a given supply chain, ownership is spread across many parties whose abilities, let alone willingness, to impose supply-chain discipline will vary greatly. Finally, most supply chains are often driven by cost or performance efficiencies, with security taking a back seat, if it gets any attention at the component level of a given supply chain."
Tom Donahue, Former Senior Director for Cyber Operations, National Security Council
"The subversion of a software supply chain, as described in recent U.S. Government warnings [1], [2], offers an adversary potential access across an entire customer base, typically behind the perimeter defenses. As Microsoft demonstrated recently [3], the best protection against such subversion is digitally signed code, which in turn, highlights the critical importance of protecting signing keys."
Rick Ledgett, Former Deputy Director, NSA
"There are many recent examples of supply chain vulnerabilities in the public domain. In 2015, according to several publications, Juniper's Netscreen router software was compromised, purportedly by a foreign nation state actor that hacked into the company. The compromised software weakened the encryption on routers used by many companies and governments, including the U.S. A more recent and better known case was the ban by the U.S. Government on Kaspersky anti-virus software, over concerns that the software provided a way for the Russian government to access computers on which it was installed."
Moving Forward: The action plan for the U.S. government focuses on information sharing, promoting best practices, risk assessments, improving response to incidents, partnering with allies and driving the market toward a “more secure cyber ecosystem”.
The (ICT) Risk Management Task Force Supply Chain Task Force is betting that closer communication and coordination between government and the private sector will lead to a stronger response and defense. The task force will develop recommendations for action aimed at addressing key threats.
