U.S. intelligence to share supply chain threat reports with industry

Focus expected to be on bad actors to pre-empt attacks, not just signatures in existing attacks

The U.S. National Counterintelligence and Security Center will soon provide classified supply chain threat reports to critical U.S. telecommunications, energy and financial businesses.

The effort is designed to reduce threats against a vast private supply chain of equipment and services that could result in the theft of vital data or disrupt operations in critical systems. Supply chain threats are not well understood by security professionals, yet the supply chain is relatively easy to manipulate by foreign governments like Russia and China, as well as criminal gangs, hackers and even disgruntled workers, according to NCSC officials.

The Office of the Director of National Intelligence described the threats to private sector supply chains in a press release on Thursday and released a video on supply chain risk management.

The video urges companies to include a member of the company’s acquisition division in planning sessions to defend against cyberattacks. It also urges companies to know their suppliers and whether they are associated with adversaries of the U.S,. and from which vendors those companies purchase parts.

The NCSC, in the statement, said it will provide “threat briefings to government partners and eventually to industry.” NCSC officials could not be reached for more details, but the statement referred to a Bloomberg interview that said the threat reports would begin in about two months through secure channels and would include the context behind hacking attacks, such as whether another country is responsible.

Threat reports against a company’s supply chain will likely be welcomed by many U.S. companies, considering the variety and number of attacks that can occur. One company, Verizon, said on Friday it has long recognized the importance of keeping its supply chain reliable and secure.

“We devote considerable attention to that effort,” said David Samsung, a Verizon spokesman, via email. “We welcome the government’s efforts to share timely and actionable information about threats to supply chain security.”

Duke Energy’s Managing Director of Cybersecurity Hafid Elabdellaoui said the utility welcomes the “opportunity for intelligence sharing, especially when the information comes from government agencies who have extensive knowledge of threats and potential threats within U.S. borders and around the world.”

Gartner analyst Avivah Litan called the government’s plan to share supply-chain threat reports “a really important initiative.”

“This is one area that the federal government pays attention to while private industry generally does not,” she added. “Many of the threats to the U.S. supply chain are perpetrated by nation-states like China and Russia who use weaknesses and vulnerabilities in the supply chain to infiltrate U.S. infrastructure and systems.”

She said private companies typically focus on preventing and detecting known attacks that started long ago, but not on pre-empting them. “It’s a very good thing for U.S. intelligence agencies to bring information that can pre-empt attacks. This is probably one of the most useful activities our government can engage in to help protect U.S. infrastructure.”

Litan said only a handful of security companies focus on pre-empting attacks by finding criminal perpetrators and then uncovering how they act well before they strike. “This is the first initiative I have heard of that specifically targets U.S. supply chains across the board with the same intent,” she added.

U.S. intelligence officials are likely using data-mining tools to discover threats against supply chains in the darknet. By contrast, most threat intelligence companies don’t look for perpetrators and instead look for key words or IP addresses, malware or URLs that provide signatures, or they contribute to blacklists that can help private companies prevent attacks already started in another industry or another part of the world.

U.S. intelligence officers are also likely to use electronic surveillance techniques to focus on suspicious groups, then monitor what individuals in the groups are chatting, emailing or talking about, Litan said. “U.S. intelligence is more focused on the people and finding out the bad guys and government actors and accomplices, then seeing what they talk about and the traces they leave behind. They might be talking about infiltrating routers or polluting a manufacturing process.”

Join the CSO newsletter!

Error: Please check your email address.

More about BloombergDuke EnergyGartnerSamsungVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Hamblen

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts