Close this search box.
Close this search box.

New Supply Chain Cybersecurity Threats Emerge

Amid new cybersecurity threats from China, companies must define their mission-critical vendors and review best practices with them.
ZTE and Huawei, data breach threats, cybersecurity
Authorities are concerned the software on the phones of Chinese manufacturers, ZTE and Huawei, may have been modified for intelligence gathering.

For reasons of speed and efficiency, the U.S. government transacts electronically with important suppliers of goods and services, giving them access to specific systems to exchange routine business information. Aware of this vulnerable entry point, hackers representing nation states like China and Russia regularly attack these suppliers to infiltrate government systems.

This is old news. A novel means to penetrate the country’s cyber defenses has surfaced — Chinese-made mobile phones. The Federal Bureau of Investigation, Central Intelligence Agency, and National Security Agency have warned American consumers not to use smartphones made by ZTE and Huawei, two Chinese smartphone manufacturers. The phones’ software may have been modified for intelligence gathering.

The country’s leading national security organizations are concerned that millions of Americans could use these smartphones to buy products from a company that also sells to the government. Assuming the device is embedded with malware, the consumer may inadvertently open a back door into the supplier’s systems, the malware worming its way to the system providing access to the government. So far this year, two such supply chain attacks allegedly perpetrated by Chinese hackers have occurred, according to Crowdstrike’s 2018 Threat Report.

Attack Surface Widens

It’s not just the U.S. government susceptible to this innovative cyber attack scenario. All businesses that rely upon external suppliers to provide finished goods and services to their customers are at risk of the same outcome; hence the alarm that greeted President Trump’s recent pledge to “rescue” ZTE by ending a seven-year import ban. U.S. companies annually supply ZTE with almost $3 billion of components.

President Trump tweeted on May 13: “President Xi of China, and I, are working together to give massive Chinese phone company, ZTE, a way to get back into business, fast. Too many jobs in China lost. Commerce Department has been instructed to get it done!”

Not too fast, cybersecurity experts warn. “A growing set of threat actors are now capable of using cyber operations to remotely access traditional intelligence targets, as well as a broader set of US targets including critical infrastructure and supply chains,” William Evanina, who leads the National Counterintelligence Security Center, told the Senate Committee on Intelligence on May 15.

In this dangerous environment, CEOs must ensure their companies’ suppliers’ cyber defenses are fortified. This responsibility is now mandated in the European Union, following the May 25 implementation of the European Commission’s General Data Protection Regulation (GDPR). Prior to processing a consumer’s personal information, businesses must analyze the related data privacy and security risks of sharing this information with suppliers, vendors and outsourcing partners.

“With regard to post-breach actions, the best advice is to retain a third-party cyber security firm to conduct a rapid forensic investigation that identifies the breadth and scope of the breach and all affected parties.”

Cyber attacks against these third parties have resulted in a litany of data breaches, among them the 2013 data breach of retail store chain Target caused by the hacking of a vendor HVAC contractor. According to the National Institute of Standards and Technology (NIST), major cyber supply chain risks are caused by:

  • Inferior information security practiced by lower-tier suppliers.
  • Third-party service providers and vendors that have virtual access to information systems.
  • Compromised hardware and software (the concern with Chinese-made smartphones).
  • Software vulnerabilities in supply chain management systems.

NIST, a physical sciences laboratory within the US Department of Commerce, advises companies to beware these threats, but concedes the impossibility of completely eliminating the risk of a data breach. “The question becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach,” NIST stated.

Best Practices Advised

There are ways to limit the risk of a supply chain breach. SANS Institute, a provider of cybersecurity training and related certification, recommends that businesses define their mission-critical vendors — the companies where a successful breach may have a significant impact on operations, adversely affecting revenues, and client information.

The next step is to identify a primary contact at each supplier or vendor to serve as a liaison. This outside person is entrusted to oversee the supplier’s comprehensive cyber risk management program and provide periodic reports to the partnering business.

The Institute also advises that companies establish a Supplier/Vendor Risk Management Program identifying appropriate data access controls for these entities. It further recommends that companies retain the right to audit and test the cyber security controls of vendors, suppliers and other service providers.

NIST offered other best practices, such as the inclusion of the company’s cyber security practices in every RFP and contract with vendors and suppliers, and permission to go on-site at a supplier or vendor to review the organization’s cyber security practices and address perceived vulnerabilities.

With regard to post-breach actions, the best advice is to retain a third-party cyber security firm to conduct a rapid forensic investigation that identifies the breadth and scope of the breach and all affected parties. This firm can then work with IT security professionals within the business and the supplier or vendor liaisons to quickly remedy the situation.

Read more: Understanding The Seven Types Of Data Breach


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events


    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)


    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.