Instead, they got inside by sneaking malicious code into a software update pushed out to thousands of government agencies and private companies.
That hackers were able to exploit vulnerabilities in the supply chain to launch a massive intelligence gathering operation wasn't especially surprising.
“We’re going to have to wrap our arms around the supply-chain threat and find the solution, not only for us here in America as the leading economy in the world, but for the planet,”
In general terms, a supply chain refers to the network of people and companies involved in the development of a particular product, not dissimilar to a home construction project that relies on a contractor and a web of subcontractors. The sheer number of steps in that process, from design to manufacture to distribution, and the different entities involved give a hacker looking to infiltrate businesses, agencies and infrastructure numerous points of entry.
That can mean no single company or executive bears sole responsibility for protecting an entire industry supply chain. And even if most vendors in the chain are secure, a single point of vulnerability can be all that foreign government hackers need. In practical terms, homeowners who construct a fortress-like mansion can nonetheless find themselves victimized by an alarm system that was compromised before it was installed.
The most recent case targeting federal agencies involved Russian government hackers who are believed to have inserted malicious code into popular software that monitors computer networks of businesses and governments. That product is made by a
The malware gave hackers remote access to the networks of multiple agencies. Among those known to have been affected are the departments of Commerce,
For hackers, the business model of directly targeting a supply chain is sensible.
“If you want to breach 30 companies on
Though President
Supply chain protection will presumably be a key part of those efforts, and there is clearly work to be done. A Government Accountability Office report from December said a review of 23 agencies' protocols for assessing and managing supply chain risks found that only a few had implemented each of seven “foundational practices” and 14 had implemented none.
But the government has tried to take steps, including through executive orders and rules.
A provision of the National Defense Authorization Act for fiscal year 2019 barred federal agencies from contracting with companies that use goods or services from five Chinese companies, including Huawei. The government's formal counterintelligence strategy for 2020 to 2022 made reducing threats to key
Perhaps the best-known supply chain intrusion before
The
“Anyone surprised by
Part of the appeal of a supply chain attack for hackers is that it’s “low-hanging fruit,” with the
“The problem is we basically don’t know what we’re eating.” Valeriano said. “And sometimes it comes out later that we choke on something."
Follow
Copyright 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission., source