The U.S. National Counterintelligence and Security Center will soon provide classified supply chain threat reports to critical U.S. telecommunications, energy and financial businesses.
The effort is designed to reduce threats against a vast private supply chain of equipment and services that could result in the theft of vital data or disrupt operations in critical systems. Supply chain threats are not well understood by security professionals, yet the supply chain is relatively easy to manipulate by foreign governments like Russia and China, as well as criminal gangs, hackers and even disgruntled workers, according to NCSC officials.
The Office of the Director of National Intelligence described the threats to private sector supply chains in a press release on Thursday and released a video on supply chain risk management.
The video urges companies to include a member of the company’s acquisition division in planning sessions to defend against cyberattacks. It also urges companies to know their suppliers and whether they are associated with adversaries of the U.S,. and from which vendors those companies purchase parts.
The NCSC, in the statement, said it will provide “threat briefings to government partners and eventually to industry.” NCSC officials could not be reached for more details, but the statement referred to a Bloomberg interview that said the threat reports would begin in about two months through secure channels and would include the context behind hacking attacks, such as whether another country is responsible.
Threat reports against a company’s supply chain will likely be welcomed by many U.S. companies, considering the variety and number of attacks that can occur. One company, Verizon, said on Friday it has long recognized the importance of keeping its supply chain reliable and secure.
“We devote considerable attention to that effort,” said David Samsung, a Verizon spokesman, via email. “We welcome the government’s efforts to share timely and actionable information about threats to supply chain security.”
Duke Energy’s Managing Director of Cybersecurity Hafid Elabdellaoui said the utility welcomes the “opportunity for intelligence sharing, especially when the information comes from government agencies who have extensive knowledge of threats and potential threats within U.S. borders and around the world.”
Gartner analyst Avivah Litan called the government’s plan to share supply-chain threat reports “a really important initiative.”
“This is one area that the federal government pays attention to while private industry generally does not,” she added. “Many of the threats to the U.S. supply chain are perpetrated by nation-states like China and Russia who use weaknesses and vulnerabilities in the supply chain to infiltrate U.S. infrastructure and systems.”
She said private companies typically focus on preventing and detecting known attacks that started long ago, but not on pre-empting them. “It’s a very good thing for U.S. intelligence agencies to bring information that can pre-empt attacks. This is probably one of the most useful activities our government can engage in to help protect U.S. infrastructure.”
Sign up for CIO Asia eNewsletters.