U.S. intelligence agencies are rolling out an exclusive cybersecurity information sharing initiative where American telecommunications, energy and financial services businesses will begin to receive classified threat intelligence reports about hackers who are targeting supply chain operations.
Led by the National Counterintelligence and Security Center, news of the information sharing plan follows a meeting between NCSC Director William Evanina and U.S. telecommunication industry leaders in Washington last month.
A complimentary video published Thursday by NCSC also highlights the importance of supply chain security to mitigate threats associated with the theft of intellectual property, trade secrets and research and development methods.
“The supply chain is the interconnected web of people, processes, technology, information and resources that deliver a product or service,” the NCSC video describes.
The aforementioned classified threat intelligence papers will reportedly begin being distributed to U.S. critical infrastructure developers via “secure channels” in two months, Bloomberg reports.
NCSC, which is under purview of the Office of the Director of National Intelligence, did not respond to FedScoop’s request for comment.
The latest information sharing initiative is part of a broader campaign to raise awareness about the risks associated with poor supply chain security, Evanina told Bloomberg.
Thursday’s announcement represents a continued warning by the U.S. government to be wary about where basic, electronic components — like microchips — in their finished products are manufactured.
U.S. companies whose supply chains rely on services and products developed in countries that have proven hostile to the U.S., including Russia, China and Iran, should be especially vigilant, U.S. lawmakers have previously warned.
A 2012 House Intelligence Committee report, for example, cautioned U.S. companies from depending on electronic components manufactured by two of China’s leading technology firms, Huawei Technologies and ZTE Corp, due to the risk of embedded software and hardware that could enable surveillance capabilities.
Executives overseeing the Chinese corporations, however, have consistently denied allegations they are influenced by China’s communist government.
U.S. businesses should know where their “stuff is coming from,” Evanina told Bloomberg.
“You might have the best software and cybersecurity programs, but if you don’t have the same due diligence and understanding of the threat for the people who buy the systems that run your buildings and facilities, you’re running the risk of potential compromise,” he said.
But even with the very best threat intelligence available, most businesses will struggle to secure their supply chain processes, said Faizel Lakhani, president and COO of cybersecurity company SS8 — a firm which counts many of the world’s largest intelligence agencies, telecommunications providers and critical infrastructure developers as clients.
“The effort is notable and validates how elusive today’s cyber threats are, and how problematic data breach detection is. But it begs a couple of questions. Will businesses have the time [to react based on an intel report]? And, will it actually help them stop a breach or data exfiltration,” Lakhani said in an email to FedScoop.
“Providing the information is one thing, but doing the actual detection and response of threats is an ongoing practice,” he said, “The intelligence is constantly changing and organizations need automation that takes in the latest intelligence on an ongoing basis and applies it to history to really understand if a compromise has happened and if data is being transmitted.”