By Bob Kolasky, Senior Vice President Critical Infrastructure, Exiger
The New York Times recently published a front-page article outlining efforts by the Chinese government to hide malicious computer code in critical infrastructure, including communications networks. The article discussed the increasing sophistication and long-term planning of the Chinese to develop ways to conduct cyber-attacks by "living off the land" in infrastructure and the related concern the U.S. government officials have about China's willingness to disrupt critical functions.
Many of the attacks that are most concerning to policymakers are supply chain attacks where adversaries exploit underlying technologies used in communications networks that have vulnerabilities that were either intentionally or unintentionally introduced. Because of these concerns, the issue of supply chain risk management has been elevated as a necessary security control priority.
How best can critical infrastructure companies develop trust that the hardware and software they rely on are not being weaponized as an attack vector? That question is particularly acute for the telecommunications industry and one that was addressed by The Telecommunications Industry Association (TIA). In early 2022, TIA released SCS 9001, the first-ever global Cybersecurity and Supply Chain Security Standard, to verify that networks and their supporting hardware and software components and subcomponents meet critical security benchmarks to mitigate the risk of cybersecurity attacks. The standard includes operational process criteria to ensure vendor corporate policies and procedures inherently deliver secure products and services. The requirements laid out in SCS 9001 can also evaluate Internet of Things devices and vendors.
As a member of TIA, Exiger applauds the new standards for advancing and maturing supply chain risk management for the Information and Communications Technology (ICT) industry. Our experience serving government, military, and commercial clients has proven that holistically addressing cyber and supply chain risk management (C/SCRM) requires more than just process and governance. C/SCRM requires holding 3rd party vendors to a higher standard to assure that they develop products and services with security built in from conception through the entire product lifecycle. We approach this problem by illuminating supply chains and identifying risks associated with supplier provenance and supplied products (including hardware and software). And then we apply continuous monitoring to ensure an organization is able to remain informed of supply chain threats and vulnerabilities and act accordingly to mitigate those risks.
One specific example of this is highlighted by our approach to foreign entities' telecommunications supply chain threats. We developed the capability to monitor and illuminate risks and threats as mandated by Section 889 of the 2019 National Defense Authorization Act. That legislature prohibited the purchase of covered telecommunications equipment and services from vendors who sell products containing spyware, as well as their subsidiaries and affiliates. Section 889 called out five particular vendors known well to the telecommunications industry: Huawei, ZTE, Hikvision, Hytera, and Dahua.
While the legislation applied only directly to government purchases, it has been the inspiration for additional regulation and risk mitigation priorities. An example is the Federal Communications Commission prohibition of authorization of Covered Equipment because of public safety, national security, and critical infrastructure concerns.
Exiger offers tools that help companies identify where such illicit technology sits in organizational supply chains. Not only have we focused on identifying supplies sourced from covered entities such as Huawei and ZTE, but we have taken that work a step further and identified more than 1,360 likely subsidiaries and affiliates of the five named Section 889 companies. We actively manage this list as it continuously changes. What is important about the latter effort is it brings an element of dynamic monitoring and continuously assessing other parties that may license, distribute, or white-label prohibited technologies. Knowing whether Huawei technology is in your supply chain is, of course, important; being able to detect a new supplier having the same risk characteristics of Huawei in your supply chain is equally important. That level of visibility is now possible through Exiger's risk model and dynamic entity monitoring.
Reflecting on The New York Times reporting, it is clear that foreign adversary governments and affiliated actors are not going to stop targeting U.S. infrastructure simply as a result of government prohibitions—supply chain threats will be an enduring challenge. The process developed in the SCS 9001 standard for risk analysis, identification, and treatment is absolutely crucial for telecommunications companies to increase their trust in the provenance of the hardware and software used in their telecommunications networks. Doing so is not a one-time effort; rather an ongoing and disciplined effort to monitor potential untrustworthy vendors with linkages to illicit equipment is a crucial component of supply chain risk management.
The ideas and views expressed in this guest blog article are those of the authors and not necessarily those of TIA or its member/participating companies. Exiger is a TIA QuEST Forum participant. TIA is technology- and company-neutral and does not endorse any one product, approach, or company over any others.