One only needs to scan recent headlines to understand that the threat to U.S. critical infrastructure is pervasive, persistent, and a significant national security concern. A U.S. energy company lost more than $1 billion in shareholder equity and half of its global workforce after its proprietary technology was stolen by a Chinese firm. A global maritime company that transports much of the world’s shipping cargo was brought to its knees for days, and lost more than $300 million after Kremlin-backed hackers implanted malware in accounting software belonging to an unrelated company in Ukraine. The popular software cleanup CCleaner was victimized by a massive, worldwide attack on its software supply chain that infected 2.2 million customers with a backdoor. Hackers specifically targeted 18 companies, including Google, Microsoft, Sony, and Intel. These examples underscore the escalating asymmetric attacks against companies in critical infrastructure areas such as the financial, energy, information technology, and communications sectors.
Such destructive attacks are often carried out by hostile foreign intelligence services that execute blended operations, fusing attacks in four areas: cyber technology; supply chains; cyber-physical (cyber systems that control physical functions such as power stations); and people, either witting or unwitting. China, Russia, Iran, and North Korea pose the greatest cyber threats to the United States. Advances in technology such as wireless and the Internet of Things introduce new vulnerabilities, increase the risk of compromise, and provide adversaries more venues for attack.
Innovative technology is being built and fielded at an unprecedented rate with little or no security protection. The complexity of technological advances—both in the tools themselves and the methods used to compromise them—requires a much greater technical and cyber awareness and new cybersecurity mitigations than what was required even five years ago. In mitigating these risks, it’s important to understand that threats to cyberspace and the supply chain are often intertwined. There is a cyber threat to your supply chain and a supply chain threat to your cyber operation. Attacks occur throughout the supply chain life cycle—development through sustainment.