As supply chains increasingly become digitized nation states are targeting the weakest cybersecurity links in these supply chains to steal massive amounts of invaluable intellectual property.
With that issue in mind, The Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the Department of Defense (DOD) have designated April of 2019 to be Supply Chain Integrity Month. The three agencies are partnering to promote awareness of supply chain security by, among other things, making available videos and other materials outlining best practices organizations that do business with the Federal government should be implementing to protect intellectual property.
At the same time, the three agencies also noted supply chain breaches are now being much vigorously investigated. Last December so-called members of an “APT10” group allegedly tied to China’s intelligence service were indicted by the U.S. for hacking into multiple IT services providers to steal intellectual property and confidential business data from their clients. Victims included major companies in a dozen countries, including Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, the U.A.E., the U.K., and the United States.
Earlier this year, U.S. indictment against Huawei alleges that, after entering into an agreement in 2010 to supply its wireless phones to T-Mobile, Huawei’s U.S. employees began stealing data on T-Mobile’s phone-testing robot so Huawei engineers in China could try to replicate it. The charges allege Huawei even offered monthly bonuses to its employees based on the value of data they stole from competitors around the globe.
The Department of Homeland Security is also now issuing alerts concerning attacks on specific sectors. In March of last year, the FBI and DHS issued an alert about an ongoing intrusion campaign launched by the Russian government against the U.S. energy sector. Instead of targeting the energy utilities head-on, the alert notes Russian agents infiltrated rusted suppliers to gain ongoing access to industrial control systems.
Even smaller countries are getting into the act. Cybercriminals allegedly working on behalf of Vietnam, for example, have been accused of targeting supply chains in the automotive sector.
Unfortunately, things may from a cybersecurity perspective may get even worse. Many business leaders are driving major digital supply chain initiatives with clearly mapping out how all the inherent cybersecurity issues should be addressed. Arguably, the most surprising thing about the lack of cybersecurity effort is the fact that countries stealing intellectual property for one another is hardly a new concept. Countries have been engaged in industrial espionage since the dawn of time. What has changed is the value of the property being stolen is now measured in trillions of dollars. Those thefts not only ruin companies, they result in the jobs that would have been created as a result of that innovation not materializing. The impact on a national economy can be devastating.
Of course, it’s not like cybersecurity professionals didn’t need any more pressure. But at the very least it might be comforting to know that a lot of that pressure is now being much more evenly distributed across the entire organization. The challenge and opportunity cybersecurity professional face now is turning all that increased awareness into an actual mandate for meaningful cybersecurity change.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.