The federal government is getting serious about product supply chain cybersecurity. A newly introduced bipartisan bill would require federal agencies to closely scrutinize products for supply chain cybersecurity risks before buying them.
The proposed legislation, sponsored by Sens. Claire McCaskill (D-Missouri), and James Lankford (R-Oklahoma), would also establish a cross agency Federal Acquisition Security Council stocked with agency experts in supply chain risk management, acquisitions, or information technology to develop procurement specifications. Agencies would be required to assess new and existing equipment for supply chain vulnerabilities.
“We can’t simply respond to supply chain threats piecemeal, we’ve got to have a system in place to assess these risks across the government,” McCaskill said.
It’s safe to say that Congressional legislators want to avoid another episode similar to when it engaged with and subsequently banned Kaspersky Lab security products from use in federal agencies over concerns the company had alleged ties to the Russian government. (Kaspersky has denied the claims.) Along those lines, both the House and the Senate have nodded to provisions to bar deployment of Huawei and ZTE products on federal government systems.
Earlier this year, the Department of Homeland Security initiated a project to identify significant supply chain cybersecurity threats and explore mitigation strategies. And, in May, the U.S. Department of Defense (DoD) released a matrix detailing and prioritizing 110 security requirements that contract suppliers must meet or risk seeing their deals cancelled.
Last August, supply chain cybersecurity attackers planted a backdoor, dubbed ShadowPad, in popular server management software used by hundreds of companies in what Kaspersky said was one of the largest known supply-chain attacks. Had the threat not been detected and patched, it could have potentially targeted hundreds of organizations worldwide, including organizations in banking, education, energy, manufacturing, telecommunications and transport.
Meanwhile, China-based hackers known as Thrip are attacking satellite, telecom and defense companies in the U.S. and Southeast Asia, according to Symantec researchers. The security provider said the hackers likely are engaged in cyber espionage.
“Perhaps the most worrying discovery we made was that Thrip had targeted a satellite communications operator,” Symantec said in a blog post. “The attack group seemed to be particularly interested in the operational side of the company, looking for and infecting computers running software that monitors and controls satellites. This suggests to us that Thrip’s motives go beyond spying and may also include disruption.”