The past year has shown that, even in the midst of a global health crisis, hostile foreign governments will not relent in their efforts to gain an edge over the United States. For example, multiple state-sponsored cyber actors have been aggressively targeting coronavirus vaccine development through attempted cyber intrusions of American institutions. Adversaries, including but not limited to China and Russia, have sought to exploit global distress for geopolitical as well as economic advantage.
The rapid onset of the coronavirus pandemic has in some cases motivated actors seeking to steal pharmaceutical research to resort to less sophisticated methods, such as brute force attacks, which Iranian state actors or proxies appear to have conducted in an effort to steal information regarding potential treatments. With that said, there remain more sinister—and damaging—methods of attack that warrant renewed attention: those seeking to compromise technology supply chains.
Earlier in the year, the FBI publicly issued a warning about the previously active Kwampirs malware, also likely associated with Iranian government-affiliated hackers. According to the alert, these “actors gained access to a large number of global hospitals through vendor software supply chain and hardware products.”
Although there is no indication that the resurgence of Kwampirs was related to the attempted theft of coronavirus-related data, it highlights a key technique increasingly employed by malicious nation-state actors.
In July, a study reviewing dozens of supply chain cyber-attacks suggested that the pace of these incidents is increasing rapidly. Given that two of the most notable perpetrators highlighted were China and Russia, this threat is a national security issue warranting focused attention. Many existing cyber defense initiatives focus on more traditional network-delivered attacks, but events show that the supply chain presents distinct alternative vectors for adversary reconnaissance and intrusion.
The incoming Biden administration will have a chance to meet this challenge head on. To do so, they should establish a National Supply Chain Intelligence Center (NSIC) under the auspices of the existing National Counterintelligence and Security Center (NCSC). The central objective being to collect many sources of supply chain threat information and rapidly distribute it to government and industry organizations at risk.
Following the recommendations of a previous MITRE report and building on the mostly successful model of the National Counterterrorism Center, this new organization would consolidate all federal supply chain surveillance and analysis activities under one bureaucratic roof. Similarly, it would form part of the Office of the Director of National Intelligence, but be subordinate to the NCSC. Although the counterintelligence center has recently taken laudable steps in outreach and to ramp up its efforts to monitor supply chain security, a dedicated subordinate group with clear authority across the whole of government would help overcome organizational barriers and coordinate these efforts more effectively.
Furthermore, this new organization could merge with the already existing Threat Analysis Center at the Defense Intelligence Agency and assume responsibility for the intelligence collection aspects of the Department of Homeland Security’s supply chain risk management program. Doing so would overcome artificial separations between defense, intelligence, and homeland security activities as well as help to reduce duplication of effort by unifying all relevant military and civilian initiatives.
In addition to publishing best practices useful for all organizations, the NSIC could more effectively track the wide array of supply chain threats to American corporate networks, government information systems, and even military weapon programs. For example, the NSIC could advise the Defense Counterintelligence and Security Agency, which acts to protect the industrial security of cleared contractors who deal with classified information.
Unfortunately, both software and hardware supply chains are susceptible to malicious infiltration, and the NSIC will need access to all relevant sources of data to protect against efforts targeting both. As envisioned, the NSIC would enable cross-domain receipt and analysis from classified as well as unclassified sources and encourage threat reporting from commercial organizations.
Seeding an electronic virus into the supply chain in an effort to have it ride, remora-like, to its target, as appears to have happened in the case of the Kwampirs incident, is one type of software-based attack for which the NSIC would remain vigilant. Another might include hackers attempting to trick unsuspecting software developers into doing the work for them, by incorporating hidden code into target applications and environments.
A vast array of third-party libraries—often available for free on the Internet—increasingly serve critical roles in enterprise applications. Although they facilitate rapid development by providing ready-to-use modular capabilities to developers, they also introduce potentially hidden vulnerabilities into software.
A groundbreaking study released in mid-2020, appropriately entitled the “Backstabber’s Knife Collection,” found that, of the malicious software packages reviewed, the average one was available publicly for 209 days before being reported. Although it is likely that in some cases users of the packages discovered their insidious nature and quietly replaced or stopped using them, the better part of a year is a large window for an attacker to wreak havoc.
To counter such risks, the NSIC could aggregate the output of commercially-available software composition analysis tools with human and signals intelligence in order to develop a comprehensive landscape of these types of threats. This data set could then inform acquisition and security efforts across the U.S. and allied governments. The NSIC also could promote the development of improved standards and practices for software development and sustainment, such as maintaining “software bills of materials” to provide more visibility into the provenance and pedigree of components.
Such efforts would also be useful with respect to vetting physical components found in military and intelligence information systems and equipment.
Although its accuracy has since been heavily disputed, reporting from 2018 suggested that the Chinese government may have seeded corrupt hardware into U.S. corporate supply chains, including those of government contractors. Whether or not this alleged infiltration actually occurred, reputable observers have agreed that it is certainly plausible and thus it remains a credible threat.
The Internet of Things (IoT), comprising connected devices of all types, represents a hybrid software-hardware vector for infiltrating supply chains. For example, a mala fide IoT device connected to a network could cause all manner of damage, from spewing corrupted data to uploading worms to the device’s management platform. Adoption of and reliance upon IoT-enabled systems will accelerate with the deployment of 5th generation (5G) wireless communication networks, expanding potential attack surfaces and potentially aggravating the impact and injury resulting from IoT attacks.
For such cyber-physical products, the NSIC could help vet suppliers—including those multiple levels down the supply chain—and identify signatures of suspect equipment. The new organization should also advise the multi-agency Federal Acquisition Security Council to improve supply chain risk assessments and inform decisions on the exclusion of articles or sources from federal procurement.
The outgoing Trump administration has made progress in all of these areas; the national cyber and counterintelligence strategies now acknowledge the challenges of supply chain security, for example. But a more concerted and unified effort is necessary to blunt the looming menace. Consolidating all existing efforts to monitor these threats into a single organization is the best way to do so.
The United States often finds itself caught off guard in the face of unfamiliar threats, from the September 11, 2001 terrorist attacks to the coronavirus pandemic that continues to ravage the country. We should take a lesson from history and begin preparing now to face the rising tide of supply chain infiltrations by aggressive and determined adversaries.
Robert Metzger is an attorney in private practice. He served on the Defense Science Board task force that produced the 2017 “Cyber Supply Chain” Report and was a co-author of the seminal MITRE Corporation report, “Deliver Uncompromised - A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War,” released in August 2018.
Walter Haydock is a product manager at PTC, where he leads cybersecurity strategy for the ThingWorx Industrial IoT Solutions Platform. He previously served as a professional staff member for the Homeland Security Committee of the House of Representatives, as an analyst at the National Counterterrorism Center, and as an intelligence officer in the Marine Corps.
The views expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the United States Government, the MITRE Corporation, or any other client or organization.