1) Black Hat keynote puts supply chain security center stage
Despite the back-and-forth over the wisdom of in-person participation, this year’s hybrid, Las Vegas-based information security/hacker conferences Black Hat and DEFCON went off more or less as scheduled. One of the hot  topics was supply chain security. (IDK, maybe information security professionals are tired of responding to emergencies at all hours of the day and just want a little preventative maintenance…?)
In his opening, Black Hat keynote and security expert Matt Tait warned that 2020 had been akin to adding “rocket fuel ” to the already spiraling challenge of securing the software supply chain. And, unlike other types of digital compromise, targeting the supply chain enables hackers to pump up the volume of their attacks significantly and indiscriminately, impacting tens of thousands of customers and potentially those customers’ customers.
The solution, Tait argues, is in the hands of the private sector —not the federal government. He argues that platform vendors themselves should act to prevent and/or mitigate the impact of attempted supply chain compromises—for example, limiting permissions within a system to slow to constrain access after a breach, requiring audits and allowing third-party scanning of apps.
For more: Here’s a short and sweet write-up  of Tait’s other supply chain security talk. DEFCON also hit on supply chain security: here’s a novel presentation  looking at the vulnerabilities created by automated farming to the global food supply chain.
2) Why a Trip to Singapore and Vietnam was All About China
Supply chains were nominally a big part of the story last week in Singapore, where Vice President Kamala Harris held a roundtable with industry leaders on supply chain issues and promised a bilateral dialogue on supply chains . And in Hanoi, on the second leg of her trip, Harris’ team hit on the need  for tight U.S.-regional cooperation on supply chains. It’s all about the Biden-Harris administration’s Asia security strategy, which focuses heavily  on the need for alliances.
But much of the economic and security emphasis of the trip was overshadowed by recent events. Headlining in southeast Asia in the wake of the nearly complete collapse of Afghanistan’s U.S.-backed government offered opportunistic parallels for Chinese media to draw  between Afghanistan and Taiwan—and for U.S. foreign policy professionals to repudiate  strongly . Another opportunity came when Harris’ flight was delayed  by a few hours and a Chinese envoy swooped in to offer two million doses of COVID-19 vaccine to Vietnam —shortly before Harris’ planned announcement of one million doses. Awkward. The Vietnamese prime minister tried to play it safe between the two powers, stating that Vietnam “does not ally with one country to fight against another.”
In sum, the Harris trip is a solid reminder that “working with allies” can’t just mean “when they agree with us,” and that countries will act in their best interest—which may not necessarily be America’s.
3) All the Monies
Months of a worsening semiconductor supply chain crisis and increasing security incidents appear to have made companies open up their wallets.
On August 25, President Joe Biden held a roundtable summit with CEOs from Amazon, Apple, Intel and more to talk about cybersecurity—and specifically, how the government and private sector can work together on these issues. (It seems like we’re calling this “a whole-of-nation effort” now, rather than the oft-maligned “public-private partnership.”) The end result was plenty of action items : many with concrete amounts of dollars pledged to them.
Microsoft promised $20 billion over the next five years to incorporate security by design into their products—including $150 million in security-upgrade services to federal, state and local governments. Google vowed $10 billion to expand its zero trust programs. Companies also promised plenty of freebies: Amazon said it would make its employee security training free to the public (seminar time, anyone?) and cyber insurance provider Coalition  stated it would make its risk assessment and continuous monitoring platform free.
Of course, it remains to be seen if the money and meetups will translate into improvements—or if it’s more of a feel-good exercise .
For more: Also as part of the summit, the Biden administration announced that the National Institute of Standards and Technology (NIST) would be developing yet another framework to help secure the private sector. Read about it in NextGov. 
4) Going through your partner’s texts?
China and Africa. Africa and China. On the surface, it goes something like this: China invests big bucks  in the continent—gaining access to new markets and increasing soft power—while African countries receive economic engagement to improve their infrastructure and promote development.
Of course, it’s never been totally smooth sailing —accusations of “debt-trap diplomacy ” and neo-colonialism  have been hotly debated. But a more specific fear is that China’s investments in telecommunications infrastructure on the continent will create untoward political leverage  for the Chinese Communist Party (CCP).
Here are the main concerns: One, the continent’s connectivity is dangerously dependent on a single company—Chinese firm Huawei has built out some 70 percent of Africa’s 4G networks —incentivizing African leaders to avoid crossing “any of Beijing’s ‘red lines.’ ” And two, it’s a question of privacy. Chinese companies overseas are still subject to China’s domestic data laws—which, arguably, require them to turn over information to the CCP .
For the record, we’re not huge fans of the whole “go through your partner’s phone” kind of relationship. (Though it wouldn’t be the first  such instance….) Simply everyone needs connectivity in the modern world. It would be in the interest of African countries as well as the United States and international community to ensure access to ICT infrastructure is secure, diversified and non-politicized.
For more: Here’s a comprehensive rundown of China’s Telecommunications Footprint in Africa  from the Institute of Developing Economies Japan External Trade Organization. And here’s an analysis on the future of the bilateral relationship from the Africa Report .
5) ENISA offers some light beach reading*
*We’re definitely joking about the “light” part.
The European Union Agency for Cybersecurity (ENISA) has been hard at work during the hot summer months. In a new report last month—“Threat Landscape for Supply Chain Attacks” — ENISA endeavored to both analyze supply chain-related breaches of the past 18 months and to ask, “just how bad is this going to get?”
Bad. Just plain bad, seems to be the answer. ENISA predicts that 2021 attacks will be quadruple  what they were in 2020. The attacks will likely be more international  too. ENISA warned that organizations aren’t prepared to deal with the challenge —mostly because malicious actors’ techniques are evolving too quickly—and offered a whole host of recommendations  for both customers and suppliers to improve awareness of supplies and suppliers. For customers, this means defining their risk criteria, single points of failure and any critical software dependencies. For suppliers, this means better documentation of risks associated with their production processes.
Worth the listen:
+ Get smart in your free time: R Street Senior Fellow Bryson Bort has been hosting a podcast called Hack the Plant for almost a year about critical infrastructure and cybersecurity. Find it here  and wherever you listen to podcasts.
Happy Labor Day weekend!
- “hot”: https://www.ktnv.com/news/excessive-heat-on-the-way-back-for-las-vegas-area
- “rocket fuel”: https://www.blackhat.com/us-21/briefings/schedule/#keynote-supply-chain-infections-and-the-future-of-contactless-deliveries-24987
- “Tait argues, is in the hands of the private sector”: https://www.youtube.com/watch?v=RlNbpF_f2NI
- “short and sweet write-up”: https://www.darkreading.com/vulnerabilities---threats/why-supply-chain-attacks-are-destined-to-escalate/d/d-id/1341588
- “novel presentation”: https://threatpost.com/connected-farms-food-supply-chain-hack/168547/
- “promised a bilateral dialogue on supply chains”: https://www.bloomberg.com/news/articles/2021-08-23/harris-announces-new-u-s-supply-chain-initiative-with-singapore?srnd=markets-vp
- “ hit on the need”: https://www.whitehouse.gov/briefing-room/statements-releases/2021/08/25/fact-sheet-strengthening-the-u-s-vietnam-comprehensive-partnership/
- “focuses heavily”: https://www.whitehouse.gov/wp-content/uploads/2021/03/NSC-1v2.pdf
- “Chinese media to draw”: https://www.globaltimes.cn/page/202108/1231933.shtml
- “repudiate”: https://foreignpolicy.com/2021/08/23/taiwan-afghanistan-china-biden-us-reputation/
- “strongly”: https://nationalinterest.org/feature/afghanistan-today-not-taiwan-tomorrow-192300
- “delayed”: https://www.cnn.com/2021/08/24/politics/kamala-harris-vietnam/index.html
- “swooped in to offer two million doses of COVID-19 vaccine to Vietnam”: https://www.washingtonpost.com/world/asia_pacific/kamala-harris-vietnam-china-coronavirus/2021/08/25/77e51efa-0564-11ec-b3c4-c462b1edcfc8_story.html
- “good short piece”: https://www.politico.com/news/2021/08/24/kamala-harris-china-singapore-pacific-506675
- “are”: https://www.humanrightsfirst.org/resource/resources-afghan-evacuation
- “some”: https://www.pbs.org/newshour/nation/how-you-can-help-afghan-refugees-arriving-to-the-u-s
- “options”: https://www.rescue.org/country/afghanistan
- “plenty of action items”: https://www.whitehouse.gov/briefing-room/statements-releases/2021/08/25/fact-sheet-biden-administration-and-private-sector-leaders-announce-ambitious-initiatives-to-bolster-the-nations-cybersecurity/
- “Coalition”: https://www.coalitioninc.com/origin
- “feel-good exercise”: https://insidecybersecurity.com/daily-news/industry-sources-cite-missing-pieces-white-house-cyber-event-major-water-company
- “Read about it in NextGov.”: https://www.nextgov.com/cybersecurity/2021/08/white-house-tasks-nist-producing-another-cybersecurity-framework/184868/
- “China invests big bucks”: https://thediplomat.com/2021/08/chinas-presence-in-africa-is-at-heart-political/
- “smooth sailing”: https://www.csis.org/analysis/where-africa-china-relationship-headed-2021
- “debt-trap diplomacy”: https://qz.com/africa/1915076/how-bad-is-africas-debt-to-china/
- “neo-colonialism”: https://thediplomat.com/2020/11/is-china-a-new-colonial-power/
- “political leverage”: https://www.voanews.com/economy-business/analysts-china-expanding-influence-africa-telecom-network-deals
- “70 percent of Africa’s 4G networks”: https://www.atlanticcouncil.org/blogs/africasource/the-digital-infrastructure-imperative-in-african-markets/
- “any of Beijing’s ‘red lines.’”: https://www.voanews.com/economy-business/analysts-china-expanding-influence-africa-telecom-network-deals
- “require them to turn over information to the CCP”: https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.html
- “wouldn’t be the first”: https://www.washingtonpost.com/world/europe/nsa-spying-macron-merkel/2021/05/31/b4b13940-c22f-11eb-89a4-b7ae22aa193e_story.html
- “China’s Telecommunications Footprint in Africa”: https://www.ide.go.jp/English/Data/Africa_file/Manualreport/cia_09.html
- “the Africa Report”: https://www.theafricareport.com/98171/chinas-relationship-with-africa-goes-deeper-than-just-resource-extraction/
- ““Threat Landscape for Supply Chain Attacks””: https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks
- “quadruple”: https://portswigger.net/daily-swig/four-fold-increase-in-software-supply-chain-attacks-predicted-in-2021-report
- “international”: https://portswigger.net/daily-swig/four-fold-increase-in-software-supply-chain-attacks-predicted-in-2021-report
- “organizations aren’t prepared to deal with the challenge”: https://www.zdnet.com/article/supply-chain-attacks-are-getting-worse-and-you-are-not-ready-for-them/
- “recommendations”: https://www.enisa.europa.eu/news/enisa-news/understanding-the-increase-in-supply-chain-security-attacks
- “Guidelines for Securing the Internet of Things”: https://www.enisa.europa.eu/publications/guidelines-for-securing-the-internet-of-things
- “EU-wide database of cybersecurity courses”: https://www.enisa.europa.eu/topics/cybersecurity-education/education-map/
- “ here”: https://www.rstreet.org/issue/hack-the-plant-podcast/