The intelligence community on Thursday launched a "call to action" to strengthen U.S. supply chains against threats posed by foreign adversaries, which officials say pose "unique counterintelligence and security threats."
The National Counterintelligence and Security Center (NCSC) within the Office of the Director of National Intelligence, along with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the Federal Communications Commission (FCC), and the Department of Defense's Center for the Development of Security Excellence have partnered to "raise awareness" of threats to U.S. supply chains and share information on risk mitigation with the public.
"If the COVID-19 pandemic and resulting product shortages were not a sufficient wake-up call, the recent software supply chain attacks on U.S. industry and government should serve as a resounding call to action," acting NCSC Director Michael Orlando said. "We must enhance the resilience, diversity and security of our supply chains."
He added: "The vitality of our nation depends on it."
The agencies also are partnering with the National Association of State Procurement Officials and the National Association of Counties for what the NCSC is calling the "4th annual National Supply Chain Integrity Month."
The intelligence community said a number of factors affect U.S. supply chains, including production shortages, trade disruptions and natural disasters, but warned that "actions by foreign adversaries to exploit vulnerabilities in U.S. supply chains pose unique counterintelligence and security threats."
NCSC said that foreign adversaries are increasingly using companies and trusted suppliers as "attack vectors" against the U.S. for espionage, information theft and sabotage. Officials warned that those actions compromise the products and services that "underpin America's government and industry" and warned of the effects — "lost intellectual property, jobs, economic advantage, and reduced military strength."
NCSC explained the recent SolarWinds compromise brought greater public attention to software supply chain attacks, but said that it is only the latest example in a range of attacks in the past few years.
In February, according to NCSC, U.S. charges were unsealed against North Korean military hackers for cybercrimes that concluded cryptocurrency schemes supported by software supply chain attacks.
Last October, six members of Russian military intelligence were indicted for multiple cybercrimes, including the 2017 NotPetya software supply chain attack that "crippled banks, commerce, utilities, and logistics worldwide."
And last September, NCSC said U.S. charges were unsealed against Chinese hackers for targeting more than 100 companies worldwide, including software providers. NCSC said the hackers modified providers' software code for "further cyber intrusions" against customers worldwide to steal data and business information.
NCSC said this week that software supply chain attacks are "particularly insidious" because they "erode the basic trust between consumers and software providers," and warned that customers should be "wary" of even basic cyber tasks, saying that "authorized resources may be compromised."
As for addressing the threats, NCSC said that organizations and companies should work to diversify their supply chains, while strengthening partnerships with government and industry on threat information, but acknowledged there "is no single, silver-bullet solution to immunize America against supply chain threats."
NCSC said it is critical for U.S. companies to communicate across their organization, and establish training awareness programs, as well as identify critical systems, networks and establish ways to mitigate and minimize any attempted disruption or attack.
The efforts from the intelligence community to educate on supply chain threats come after President Biden signed an executive order in February to direct a 100-day review of supply chains in four areas — computer chips, large capacity batteries, pharmaceuticals and critical minerals and rare earth materials.
The order will directed six sector reviews to be completed in one year focused on defense, public health and biological preparedness, information and communications technology, transportation, energy and food production.
Intelligence and national security officials, as well as lawmakers on both sides of the aisle, have warned that China poses a threat to the U.S. supply chain, but the executive order did not mention China, or single out China, but instead focuses on other vulnerabilities.
"We are not singling out any country by name in the executive order," one senior administration official said at the time. "We see an effort to build strong and resilient supply chains across a range of critical products and sectors, and those vulnerabilities are capacity, single point of failure, potential for environmental disaster."
The official added that they are "intending to look with this review and address a range of different vulnerabilities," specifically at where the U.S. is "excessively dependent on competitor nations" including China.