Five Developments in ICT Supply Chain Security in August
1) Black Hat keynote puts supply chain security center stage
Despite the back-and-forth over the wisdom of in-person participation, this year’s hybrid, Las Vegas-based information security/hacker conferences Black Hat and DEFCON went off more or less as scheduled. One of the hot topics was supply chain security. (IDK, maybe information security professionals are tired of responding to emergencies at all hours of the day and just want a little preventative maintenance…?)
In his opening, Black Hat keynote and security expert Matt Tait warned that 2020 had been akin to adding “rocket fuel” to the already spiraling challenge of securing the software supply chain. And, unlike other types of digital compromise, targeting the supply chain enables hackers to pump up the volume of their attacks significantly and indiscriminately, impacting tens of thousands of customers and potentially those customers’ customers.
The solution, Tait argues, is in the hands of the private sector—not the federal government. He argues that platform vendors themselves should act to prevent and/or mitigate the impact of attempted supply chain compromises—for example, limiting permissions within a system to slow to constrain access after a breach, requiring audits and allowing third-party scanning of apps.
For more: Here’s a short and sweet write-up of Tait’s other supply chain security talk. DEFCON also hit on supply chain security: here’s a novel presentation looking at the vulnerabilities created by automated farming to the global food supply chain.
2) Why a Trip to Singapore and Vietnam was All About China
Supply chains were nominally a big part of the story last week in Singapore, where Vice President Kamala Harris held a roundtable with industry leaders on supply chain issues and promised a bilateral dialogue on supply chains. And in Hanoi, on the second leg of her trip, Harris’ team hit on the need for tight U.S.-regional cooperation on supply chains. It’s all about the Biden-Harris administration’s Asia security strategy, which focuses heavily on the need for alliances.
But much of the economic and security emphasis of the trip was overshadowed by recent events. Headlining in southeast Asia in the wake of the nearly complete collapse of Afghanistan’s U.S.-backed government offered opportunistic parallels for Chinese media to draw between Afghanistan and Taiwan—and for U.S. foreign policy professionals to repudiate strongly. Another opportunity came when Harris’ flight was delayed by a few hours and a Chinese envoy swooped in to offer two million doses of COVID-19 vaccine to Vietnam—shortly before Harris’ planned announcement of one million doses. Awkward. The Vietnamese prime minister tried to play it safe between the two powers, stating that Vietnam “does not ally with one country to fight against another.”
In sum, the Harris trip is a solid reminder that “working with allies” can’t just mean “when they agree with us,” and that countries will act in their best interest—which may not necessarily be America’s.
For more: Here’s a good short piece by Politico on the trip. And if you are in a position to assist displaced and refugee Afghans, here are some options.
3) All the Monies
Months of a worsening semiconductor supply chain crisis and increasing security incidents appear to have made companies open up their wallets.
On August 25, President Joe Biden held a roundtable summit with CEOs from Amazon, Apple, Intel and more to talk about cybersecurity—and specifically, how the government and private sector can work together on these issues. (It seems like we’re calling this “a whole-of-nation effort” now, rather than the oft-maligned “public-private partnership.”) The end result was plenty of action items: many with concrete amounts of dollars pledged to them.
Microsoft promised $20 billion over the next five years to incorporate security by design into their products—including $150 million in security-upgrade services to federal, state and local governments. Google vowed $10 billion to expand its zero trust programs. Companies also promised plenty of freebies: Amazon said it would make its employee security training free to the public (seminar time, anyone?) and cyber insurance provider Coalition stated it would make its risk assessment and continuous monitoring platform free.
Of course, it remains to be seen if the money and meetups will translate into improvements—or if it’s more of a feel-good exercise.
For more: Also as part of the summit, the Biden administration announced that the National Institute of Standards and Technology (NIST) would be developing yet another framework to help secure the private sector. Read about it in NextGov.
4) Going through your partner’s texts?
China and Africa. Africa and China. On the surface, it goes something like this: China invests big bucks in the continent—gaining access to new markets and increasing soft power—while African countries receive economic engagement to improve their infrastructure and promote development.
Of course, it’s never been totally smooth sailing—accusations of “debt-trap diplomacy” and neo-colonialism have been hotly debated. But a more specific fear is that China’s investments in telecommunications infrastructure on the continent will create untoward political leverage for the Chinese Communist Party (CCP).
Here are the main concerns: One, the continent’s connectivity is dangerously dependent on a single company—Chinese firm Huawei has built out some 70 percent of Africa’s 4G networks—incentivizing African leaders to avoid crossing “any of Beijing’s ‘red lines.’” And two, it’s a question of privacy. Chinese companies overseas are still subject to China’s domestic data laws—which, arguably, require them to turn over information to the CCP.
For the record, we’re not huge fans of the whole “go through your partner’s phone” kind of relationship. (Though it wouldn’t be the first such instance….) Simply everyone needs connectivity in the modern world. It would be in the interest of African countries as well as the United States and international community to ensure access to ICT infrastructure is secure, diversified and non-politicized.
For more: Here’s a comprehensive rundown of China’s Telecommunications Footprint in Africa from the Institute of Developing Economies Japan External Trade Organization. And here’s an analysis on the future of the bilateral relationship from the Africa Report.
5) ENISA offers some light beach reading*
*We’re definitely joking about the “light” part.
The European Union Agency for Cybersecurity (ENISA) has been hard at work during the hot summer months. In a new report last month—“Threat Landscape for Supply Chain Attacks”— ENISA endeavored to both analyze supply chain-related breaches of the past 18 months and to ask, “just how bad is this going to get?”
Bad. Just plain bad, seems to be the answer. ENISA predicts that 2021 attacks will be quadruple what they were in 2020. The attacks will likely be more international too. ENISA warned that organizations aren’t prepared to deal with the challenge—mostly because malicious actors’ techniques are evolving too quickly—and offered a whole host of recommendations for both customers and suppliers to improve awareness of supplies and suppliers. For customers, this means defining their risk criteria, single points of failure and any critical software dependencies. For suppliers, this means better documentation of risks associated with their production processes.
For more: ENISA published “Guidelines for Securing the Internet of Things” back in November. Looking to up your knowledge? Their website has an EU-wide database of cybersecurity courses.
Worth the listen:
+ Get smart in your free time: R Street Senior Fellow Bryson Bort has been hosting a podcast called Hack the Plant for almost a year about critical infrastructure and cybersecurity. Find it here and wherever you listen to podcasts.
Happy Labor Day weekend!