A new report from the intelligence community warns that software supply chains, foreign laws in China and Russia, and foreign technology companies that are linked to their governments pose emerging threats to the cyber security of U.S. critical infrastructure.
In 2017 there were seven significant security events worldwide related to software supply chains versus four each in 2014 and 2016, a “watershed” in number of reported cyber incidents through this threat vector, says the report, 2018 Foreign Economic Espionage in Cyberspace Report, which was prepared by the National Counterintelligence and Security Center within the Office of the Director of National Intelligence.
“As the number of events grows, so too are the potential impacts,” the 20-page report says. “Hackers are clearly targeting software supply chains to achieve a range of potential effects to include cyber espionage, organizational disruption, or demonstrable financial impact.”
The Department of Justice recently issued a report warning of cyber vulnerabilities within the technology supply chain and the House Homeland Security Committee the week of July 22 approved a bill aimed at strengthening the cyber security of federal agencies’ supply chains.
The report also says laws in some countries—citing China and Russia in particular—might, and in some cases, provide access to technology and even intellectual property of U.S. and foreign companies as a condition of exporting to or operating within their countries.
“For example, in 2017, China and Russia aggressively enforced laws that bolstered their domestic companies at the expense of U.S. companies and also might allow their companies access to U.S. intellectual property and proprietary information,” the report says.
The issue of the technology of foreign companies being used as a potential backdoor by foreign governments to steal U.S. government data and proprietary information of U.S. companies has become larger in the past two years, highlighted by the U.S. ban on Russian firm Kaspersky Lab’s cyber security products on government networks and concerns that Chinese telecommunications firms Huawei and ZTE pose potential cyber threats.
“This presents a risk to U.S. trade secrets and intellectual property,” the report warns. “These companies provide valuable services that often require access to the physical and logical control points of the computers and networks they support. These unique accesses also present an opportunity for foreign countries to obtain sensitive proprietary information.”
The report also outlines espionage threats posed by China, Russia and Iran, saying they “will remain aggressive and capable collectors of sensitive U.S. economic information and technologies, particularly in cyberspace.” It also says that countries that are close to the U.S. conduct cyber espionage against America to get technology, trade secrets, intellectual property and other data.
Sectors of the U.S. economy that are the most targeted are energy and alternative energy, biotechnology, defense technology, environmental protection—which includes area such as green building materials and hybrid and electric cars—high-end manufacturing, and information and communications technology.
“Our goal in releasing this document is simple: to provide U.S. industry and the public with the latest unclassified information on foreign efforts to steal U.S. trade secrets through cyberspace,” William Evanina, director of the National Counterintelligence Security Center, said in a statement on July 26. “Building an effective response to this tremendous challenge demands understanding economic espionage as a worldwide, multi-vector threat to the integrity of both the U.S. economy and global trade.”