U.S. intelligence experts are warning of the risks of major cyberattacks on the technology operating throughout businesses’ supply chains, according to BBC reports Thursday (July 26), raising alarms for enterprises that increasingly rely on software to function and interact with their business partners.
A report by the U.S. National Counterintelligence and Security Center (NCSC), titled “The Foreign Economic Espionage Report,” warns that cyber attackers could infiltrate the software supply chain, and pointed to China, Russia and Iran as the most capable of such an event. Indeed, cyberattacks have already “threatened critical infrastructure,” the BBC reported. The NCSC described last year as a “watershed” with seven significant cyberattacks on the software supply chain — there were only four such events between 2014 and 2016, analysts noted.
“Software supply chain infiltration is one of the key threats that corporations need to pay attention to, particularly how software vulnerabilities are exploited,” said NCSC Director William Evanina, who is also the nation’s top counterintelligence official. “To get around increasingly hardened corporate perimeters, cyber-actors are targeting supply chains. The impacts to proprietary data, trade secrets and national security are profound.”
The report pointed to several events that have already occurred, including a version of computer cleaning program CCleaner. Reports emerged last September that a “booby-trapped” version of the solution was spreading, allowing attackers to take advantage of access gained by the program. In another scenario, analysts pointed to the NotPetya attack, in which attackers used accounting and tax software to target Ukraine.
Unsurprisingly, the report also mentioned Kaspersky Lab and the risks of foreign enterprise technology companies that work closely with corporates and governments in the U.S.
“New foreign laws and increased risks posed by foreign technology companies, due to their ties to host governments, may present U.S. companies with previously unforeseen threats,” the BBC report stated. The U.S. Department of Homeland Security advised U.S. federal agencies last year to remove Kaspersky Lab products due to cyber threats.