For reasons of speed and efficiency, the U.S. government transacts electronically with important suppliers of goods and services, giving them access to specific systems to exchange routine business information. Aware of this vulnerable entry point, hackers representing nation states like China and Russia regularly attack these suppliers to infiltrate government systems.
This is old news. A novel means to penetrate the country’s cyber defenses has surfaced — Chinese-made mobile phones. The Federal Bureau of Investigation, Central Intelligence Agency, and National Security Agency have warned American consumers not to use smartphones made by ZTE and Huawei, two Chinese smartphone manufacturers. The phones’ software may have been modified for intelligence gathering.
The country’s leading national security organizations are concerned that millions of Americans could use these smartphones to buy products from a company that also sells to the government. Assuming the device is embedded with malware, the consumer may inadvertently open a back door into the supplier’s systems, the malware worming its way to the system providing access to the government. So far this year, two such supply chain attacks allegedly perpetrated by Chinese hackers have occurred, according to Crowdstrike’s 2018 Threat Report.
Attack Surface Widens
It’s not just the U.S. government susceptible to this innovative cyber attack scenario. All businesses that rely upon external suppliers to provide finished goods and services to their customers are at risk of the same outcome; hence the alarm that greeted President Trump’s recent pledge to “rescue” ZTE by ending a seven-year import ban. U.S. companies annually supply ZTE with almost $3 billion of components.
President Trump tweeted on May 13: “President Xi of China, and I, are working together to give massive Chinese phone company, ZTE, a way to get back into business, fast. Too many jobs in China lost. Commerce Department has been instructed to get it done!”
Not too fast, cybersecurity experts warn. “A growing set of threat actors are now capable of using cyber operations to remotely access traditional intelligence targets, as well as a broader set of US targets including critical infrastructure and supply chains,” William Evanina, who leads the National Counterintelligence Security Center, told the Senate Committee on Intelligence on May 15.
In this dangerous environment, CEOs must ensure their companies’ suppliers’ cyber defenses are fortified. This responsibility is now mandated in the European Union, following the May 25 implementation of the European Commission’s General Data Protection Regulation (GDPR). Prior to processing a consumer’s personal information, businesses must analyze the related data privacy and security risks of sharing this information with suppliers, vendors and outsourcing partners.
“With regard to post-breach actions, the best advice is to retain a third-party cyber security firm to conduct a rapid forensic investigation that identifies the breadth and scope of the breach and all affected parties.”
Cyber attacks against these third parties have resulted in a litany of data breaches, among them the 2013 data breach of retail store chain Target caused by the hacking of a vendor HVAC contractor. According to the National Institute of Standards and Technology (NIST), major cyber supply chain risks are caused by:
- Inferior information security practiced by lower-tier suppliers.
- Third-party service providers and vendors that have virtual access to information systems.
- Compromised hardware and software (the concern with Chinese-made smartphones).
- Software vulnerabilities in supply chain management systems.
NIST, a physical sciences laboratory within the US Department of Commerce, advises companies to beware these threats, but concedes the impossibility of completely eliminating the risk of a data breach. “The question becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach,” NIST stated.
Best Practices Advised
There are ways to limit the risk of a supply chain breach. SANS Institute, a provider of cybersecurity training and related certification, recommends that businesses define their mission-critical vendors — the companies where a successful breach may have a significant impact on operations, adversely affecting revenues, and client information.
The next step is to identify a primary contact at each supplier or vendor to serve as a liaison. This outside person is entrusted to oversee the supplier’s comprehensive cyber risk management program and provide periodic reports to the partnering business.
The Institute also advises that companies establish a Supplier/Vendor Risk Management Program identifying appropriate data access controls for these entities. It further recommends that companies retain the right to audit and test the cyber security controls of vendors, suppliers and other service providers.
NIST offered other best practices, such as the inclusion of the company’s cyber security practices in every RFP and contract with vendors and suppliers, and permission to go on-site at a supplier or vendor to review the organization’s cyber security practices and address perceived vulnerabilities.
With regard to post-breach actions, the best advice is to retain a third-party cyber security firm to conduct a rapid forensic investigation that identifies the breadth and scope of the breach and all affected parties. This firm can then work with IT security professionals within the business and the supplier or vendor liaisons to quickly remedy the situation.
Read more: Understanding The Seven Types Of Data Breach