The U.S. intelligence community has seen an increase in hackers trying to exploit the supply chain exploits this year, a top intelligence official said Aug. 22.
The warning comes as federal government leaders have raised concerns about security vulnerabilities for secondary parts and software, an industry that is worth more than $90 billion.
“Hackers are infecting a wide range of users through official software distribution channels,” said La’Naia Jones, deputy CIO of the intelligence community, during an event sponsored by Splunk. “Users do not expect malicious code to be introduced by updates from trusted software vendors.”
She added that the vulnerabilities in the supply chain are “disrupting the way that we provide data, tools and information.”
While Jones did not identify any supply chain vulnerabilities, the recent cases of ZTE and Kaspersky are two well-known examples of the problem. The U.S. government has banned use of ZTE and Kaspersky products out of a fear they are vulnerable to hacking by the Chinese and Russian governments’, respectively.
Jones' warning comes a few weeks after a report that said the U.S. government’s action and knowledge of supply chain vulnerabilities “are not fully coordinated or shared.” That report came from MITRE, a private non-profit organization that conducts government research. “Nation-state adversaries have exploited cyber and supply chain vulnerabilities critical to U.S. security for hostile purposes,” the report said, adding that examples include industrial espionage, attacks on control systems for critical infrastructure and manipulation of software.
According to MITRE, the market for cyber insurance premiums is estimated to be worth $2.5 billion, and could rise to $7.5 billion in a few years.
Supply chains can be protected by threat awareness, identification and reduction of vulnerabilities at each stage of the life cycle and through use of a standardization process, according to NIST guidelines.
For month, the Pentagon’s senior leaders have said the Department of Defense and its contractors need to take a more rigid and uncompromising approach to cybersecurity,