U.S. Subpoenas Chinese Telecoms in Supply Chain Risk Investigation
The U.S. Department of Commerce has subpoenaed a number of Chinese telecommunications companies to question their involvement in cyber-related national security risks, the agency said.
While newly installed Commerce Department secretary Gina Raimondo did not identify which suppliers had been summoned she confirmed that each sells telecom technology and services to the U.S. “In issuing subpoenas today, we are taking an important step in collecting information that will allow us to make a determination for possible action that best protects the security of American companies, American workers, and U.S. national security,” she said. “We hope to work cooperatively with these companies and conclude a thorough review.”
The Biden administration is “firmly committed to taking a whole-of-government approach” to combat the attempts of foreign cyber adversaries, such as China, North Korea and Russia, to steal critical information and to ensure that “U.S. technology does not support China’s or other actors’ malign activities,” Raimondo said. The White House has previously said it will build on actions taken by former President Trump to secure the U.S. IT supply chain.
Raimondo suggested that the recent hack by state sponsored Chinese cyber operatives exploiting vulnerabilities in Microsoft Exchange Server following the massive Russian SolarWinds attack had further sharpened U.S. cybersecurity urgency. Microsoft has attributed the Exchange Server campaign to the Chinese state-sponsored Hafnium crew. “Beijing has engaged in conduct that blunts our technological edge and threatens our alliances,” she said.
A new report from Finnish cybersecurity firm F-Secure said that tens of thousands of cyber attacks hitting Microsoft Exchange Server are continuing daily as hackers take aim at companies that have yet to apply a security patch to close the flaw, Antti Laatikainen, an F-Sure senior security consultant said in a F-Secure blog post. He called the attacks a “disaster in the making.”
Only half of the Exchange servers visible on the Internet have applied the Microsoft patches, Laatikianen said. “Unfortunately, installing the security patches alone does not guarantee that the server is secure, as a hacker may have breached it before the update was installed,” he said. Microsoft has installed a tool within its Defender Antivirus to determine if a server is vulnerable and to apply a mitigation answer.
“Never in the past 20 years that I’ve been in the industry, has it been as justified to assume that there has been at least a digital knock at the door for every business in the world with Exchange installed. Because access is so easy, you can assume that [a] majority of these environments have been breached,” Laatikainen said.
Last December, the Government Accounting Office (GAO) said that of 23 federal agencies it audited for a new report only a handful have implemented seven “foundational” practices for managing security risks in their supply chain. Release of the government watchdog’s report, fittingly entitled Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks, was remarkably timed to the expansive SolarWinds’ supply chain attack. Among agencies the GAO reviewed, none had fully implemented all of the practices and 14 had not implemented any. The GAO did not identify any of the 23 agencies audited in its report.