FOR IMMEDIATE RELEASE

October 1, 2020

NCSC Unveils New Supply Chain Risk Management Guidance
Exploitation of supply chains by foreign adversaries is a growing threat to America

The National Counterintelligence and Security Center (NCSC) today released a new tri-fold document, Supply Chain Risk Management: Reducing Threats to Key U.S. Supply Chains, to help private sector and U.S. Government stakeholders mitigate risks to America’s critical supply chains.  As part of Cybersecurity Awareness Month, NCSC is working to raise awareness of supply chain attacks, including those that are cyber-enabled.

The tri-fold highlights supply chain risks, introduces a process for supply chain risk management, and establishes three focus areas to reduce threats to key U.S. supply chains.  The document also outlines key tools and technologies to protect each stage of the supply chain lifecycle, from design to retirement.

“Enhancing supply chain security across government and industry is a key pillar of the National Counterintelligence Strategy of the United States 2020-2022 and, with the COVID-19 pandemic, it has never been more important to increase awareness of the threats and provide mitigation.  By issuing this guidance, we seek to equip industry and government with a roadmap and essential concepts for reducing their supply chain risks,” said NCSC Director Evanina.

“Exploitation of our supply chains by foreign adversaries – especially when executed in concert with cyber intrusions and insider threat activities – represents a direct and growing threat to strategically important U.S. economic sectors and critical infrastructure,” added Director Evanina.

As noted in the tri-fold, the increased reliance on foreign-owned or controlled hardware, software, or services as well as the proliferation of networking technologies, has created vulnerabilities in our nation’s supply chains.  By exploiting these vulnerabilities, our adversaries could compromise essential products and services that underpin America’s government and industry, or even disrupt critical networks, systems or weapons platforms in a time of crisis.

Recent software supply chain attacks underscore the threat:

• In September 2020, the Justice Department announced charges against Chinese nationals who were members of a cyber group known as Advanced Persistent Threat (APT)-41 for targeting more than 100 victim companies and individuals in the United States and around the world to facilitate the theft of source code, software code signing certificates, customer account data, and valuable business information.  The APT-41 defendants associated with Chengdu 404 Network Technology, a Chinese company, employed sophisticated hacking techniques, including supply chain attacks in which they compromised software providers around the world and then modified the providers’ code to install “back doors” that enabled further hacks against the providers’ customers. One of the defendants allegedly boasted that he was “very close” to China’s Ministry of State Security. See: https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer

• In July 2020, the FBI warned U.S companies in the healthcare, chemical, and finance sectors of potential targeting activity by the Chinese government against their business and operational components in China through Chinese-government mandated tax software. As early as March 2019, at least two Western companies operating in China detected malware that was delivered through Chinese vendors responsible for releasing tax software upgrades following changes in 2018 to China’s value-added tax (VAT).  According to the FBI, the malware launched a backdoor into victim systems, which the FBI assesses likely allows cyber actors to preposition to conduct remote code execution and exfiltration activities on the victim’s network. See: https://www.ic3.gov/media/news/2020/200728.pdf

• In May 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC) issued a joint warning that Advanced Persistent Threat (APT) cyber actors were targeting organizations involved in COVID 19 research and responses, including through potential attacks on their supply chains.  "Organizations involved in COVID 19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID 19-related medicine," the alert noted.  “These organizations’ global reach and international supply chains increase exposure to malicious cyber actors.  Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets.  Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted." See: https://us-cert.cisa.gov/ncas/alerts/AA20126A

 NCSC has posted the tri-fold along with other documents, videos, and resources on its supply chain web page.  Among other things, the web page provides information on threats and best practices, the SECURE Technology Act, the Federal Acquisition Security Council and other data.  The NCSC web page also contains links to supply chain resources at CISA, the Department of Defense Center for the Development of Security Excellence, and the UK’s NCSC.

A center within the Office of the Director of National Intelligence, the NCSC is the nation’s premier source for counterintelligence and security expertise and a trusted mission partner in protecting America against foreign and other adversarial threats.

 
# # #