



WASHINGTON (AP) The elite Russian hackers who gained access to the computer systems of federal agencies last year did not bother to try to break into the networks of each department one by one.

Instead, they got inside by inserting malicious code into a software update sent to thousands of government agencies and private companies.

It was no surprise that hackers were able to exploit vulnerabilities in the so-called supply chain to launch a massive intelligence-gathering operation. U.S. officials and cybersecurity experts have been sounding the alarm bells for years about a problem that has wreaked havoc, including billions of dollars in financial losses, but has defied easy government and private sector solutions.

We were going to have to wrap our arms around the supply chain threat and find the solution, not only for us here in America as the world’s largest economy, but for the planet, William Evanina, who resigned last week in as US governments responsible for chief counterintelligence, said in an interview. We had to find a way to make sure that in the future we can take a zero risk posture and trust our suppliers.

In general terms, a supply chain refers to the network of people and companies involved in the development of a particular product, not unlike a house building project that relies on a contractor and a network of subcontractors. . The large number of steps in this process, from design to manufacturing to distribution, and the different entities involved, give a hacker who seeks to infiltrate businesses, agencies and infrastructures many entry points. .

This can mean that no single company or executive is solely responsible for protecting the entire industry supply chain. And while most of the chain’s providers are secure, a single point of vulnerability may be all that foreign government hackers need. In practice, homeowners who build a fortress-like mansion may still find themselves victims of an alarm system that was compromised before it was installed.

The most recent case targeting federal agencies involved Russian government hackers allegedly inserting malicious code into popular software that monitors corporate and government computer networks. This product is manufactured by a Texas-based company called SolarWinds which has thousands of customers in the federal government and the private sector.

This malware allowed hackers to remotely access the networks of several agencies. The departments of Commerce, Treasury and Justice are among those known to have been affected.

For hackers, the business model of directly targeting a supply chain makes sense.

If you want to rape 30 companies on Wall Street, why rape 30 companies on Wall Street (individually) when you can go to the server, the warehouse, the cloud where all these companies keep their data? It’s just smarter, more efficient, more efficient at doing this, Evanina said.

Although President Donald Trump has shown little personal interest in cybersecurity, even firing the head of the Department of Homeland Security’s cybersecurity agency just weeks before the Russian hack came to light, President Joe Biden said that it would make it a priority and impose costs on adversaries who carry out attacks.

Protecting the supply chain will likely be a key part of these efforts, and there is clearly work to be done. A December Government Accountability Office report said a review of 23 agency protocols for assessing and managing supply chain risks found that only a few had implemented each of the seven core practices. and 14 had not implemented any.

US officials say the responsibility cannot lie with government alone and must involve coordination with the private sector.

But the government has tried to take action, including through decrees and rules. A provision in the National Defense Authorization Act prohibited federal agencies from contracting with companies that use goods or services from five Chinese companies, including Huawei. The government’s official counterintelligence strategy has made reducing threats to the supply chain one of the five fundamental pillars.

Perhaps the most well-known intrusion into the supply chain before SolarWinds was the NotPetya attack in which malicious code allegedly implanted by Russian military hackers was triggered via an automatic software update from preparation of Ukrainian tax returns, called MeDoc. This malware infected its customers and the attack caused more than $ 10 billion in damage globally.

The Justice Department in September indicted five Chinese hackers who it said compromised software vendors, then modified the source code to allow further hacks of the vendor’s customers. In 2018, the department announced a similar case against two Chinese hackers accused of breaking into cloud service providers and injecting malware.

Anyone surprised by SolarWinds hasn’t paid attention, said Representative Jim Langevin, Democrat of Rhode Island and member of the Cyberspace Solarium Commission, a bipartisan group that released a white paper calling for supply chain protection. through better sharing of intelligence and information.

Part of the appeal of a supply chain attack is that it has fruit at hand, said Brandon Valeriano, cybersecurity expert at Marine Corps University. Senior advisor to the solarium commission, he says it’s not really clear how scattered the networks are and that loopholes in the supply chain are not uncommon.

The problem is, we don’t know what we were eating. Said Valeriano. And sometimes it happens later that we choke on something – and often we choke on things.

