Introduction
Espionage has always been a concern for the United States Federal Government. It is an activity that is as old as civilized society. However, with the dawn of the digital age and the increased reliance on networked systems, cyber espionage has become increasingly concerning. The primary threats to national security throughout the last decade have come from China, Russia, North Korea, and Iran. Each nation-state carrying its own distinct motivations behind its activities. The use of sophisticated techniques using advanced persistent threat (APT) actors has given these adversaries some measured success in gaining access to U.S. national sensitive information during this time. However, the pandemic environment has increased the attack surface with government employees needing to work from home. Data is no longer protected by the confines of the facilities and physical networks managed by the agencies it belongs to. The non-existent barrier between the Internet and sensitive information creates a challenge in protecting data.
Threat Landscape – China, Russia, North Korea, Iran
Understanding the threat landscape, including the threat actors and motivations behind the activities will assist in mapping out solutions and proactive measures that can be taken to mitigate those threats. China has been jockeying for industrial and technological superiority for many years. With the launch of its “Made in China 2025” initiative, in 2015, China is seeking to be the dominant global hub for high-tech manufacturing. Initiatives included in this program are government subsidies to existing technology companies, mobilized state-owned tech-based enterprises, and the pursuit of intellectual property acquisition to catch up with, and surpass, the current Western competitors. (McBride & Chatzky, 2019). For the purpose of this memo, the focus will be on the intellectual property acquisition portion of this Chinese initiative. China has implemented a tactic called “forced transfer agreements” for any foreign-based company interested in doing business with or in China. In effect, if a tech company or organization would like to engage in business with Chinese citizens, these agreements require the organization to share sensitive intellectual property and technological know-how with the Chinese government, or state-sponsored firms. As CFR Brad Setser has said, China has used these joint venture rules to acquire outside technologies including high-speed rail and electric vehicle batteries (Setser, 2018).
In addition to Made in China 2025, Chinese APTs are focused on gaining access to information through other tactics including hacking into various sectors of critical infrastructure. According to FireEye, as a U.S.-based cybersecurity firm, there are more than 40 documented government-backed Chinese APT groups that consistently target healthcare, telecoms, high-tech manufacturing, defense contractors, government agencies, military targets, educational organizations, as well as other strategic targets (FireEye, 2019). The mission of most of these groups is to gather intelligence for the Chinese government for the advancement of their Made in China 2025 initiative. By stealing intellectual property, they can quickly learn how to build high-tech infrastructure without inventing the resources in research and development. This cost savings allows the government to continue to provide subsidies to Chinese manufacturers.
The motivations behind Russian cyberattacks are more political in nature. The primary intent behind Russian espionage and cyber aggressive activity is to degrade the U.S. democratic values and consequently weaken our alliances. As demonstrated in the 2016 and 2020 U.S. elections, Russian-backed APTs consistently target Western European and U.S. governments, NATO, defense contractors, foreign policy groups, and other similar organizations. The espionage activity conducted by Russian APTs are highly sophisticated and use many different avenues to gain access to information, including cloud services, social media platforms, and supply chains. The most recent example of an alleged Russian-backed supply chain attack with the intent to support widespread espionage was the attack on the U.S.-based firm SolarWinds. SolarWinds’ Orion platform was boasted by the company to be installed in hundreds of thousands of end customers to monitor IT network activity. The alleged Russian-sponsored attackers specifically targeted multiple U.S. Government entities, technology firms, non-government organizations (NGOs), and higher education organizations that used the Orion platform. Investigations into this event have revealed that this was an information-gathering mission. Stolen information from victim organizations includes targeted internal documents and email, IP, internal security documents, and IT security team members. Thus far, there have been no disruptive or destructive measures taken. This attack was methodical and highly sophisticated and represents the future of cyber espionage threats. What Russia has demonstrated through this successful attack is that the supply chain is the soft underbelly of any organization. It is the one thing that an organization typically does not have control of. This is where they are going to concentrate.
The 2010 U.S.-Israeli attack on the Iranian uranium enriching centrifuges via the Stuxnet virus, which set back their enrichment program by years, set Iran on a course of cyber growth motivated by retaliation. Iran has since grown its cyber defensive and offensive capabilities flexing its cyber muscles on several occasions against the international community. The purpose of Iranian espionage activity is to gather information on specific targets. Iran has a reputation for destructive activity. Espionage activities would be orchestrated to learn about things such as transportation and logistics in an effort to subvert the supply chain of key goods and services to Iran (O’Flaherty, 2020). Rather than directly attacking the U.S. it is suspected that they would utilize their capabilities to attack U.S. interests in the Middle East. Although Iranian espionage activity does not necessarily pose a significant threat to the U.S. as Russia and China, it is certainly not to be dismissed.
Finally, it is important to recognize the North Korean cyber threat to the U.S. North Korea’s motivation for malicious cyber activity is financial. They utilize cyber-attacks against financial institutions, primarily, to garner funding for its weapons of mass destruction (WMD) and ballistic missile programs (“Guidance on the North Korean Cyber Threat,” 2020). Although North Korean cyber espionage activity is not as substantial as the threat of destruction and disruption, it is not to be completely discounted. The success of destructive and disruptive cyber-attacks relies on the collection of information and intelligence. Without a comprehensive understanding of how an organization operates, it would not be able to execute the attack with a successful outcome.
A common thread that exists amongst all four of the U.S.’s largest cyber threat nation-states is that the espionage activity is best carried out through attacking the vendor supply chain that organizations use in common. By focusing on the softer targets within the supply chain to gain access to the larger target, bad actors can hide more easily. In addition, attackers can concentrate their efforts on one main target to infiltrate many subsequent targets, as in the case of the SolarWinds attack. This type of attack is far less expensive and provides a greater reach in far less time. SolarWinds is not the only example of a supply chain attack in recent history. The 2010 “Big Hack” that was attributed to a Chinese-based contract manufacturer demonstrated that not only was software integrity at risk but hardware, as well. Super Micro was contracted by a company called Elemental to build servers for them. These servers were sold to the federal government as well as many other organizations, providing the attackers with a built-in back door to every server connected to the Internet. The attack was uncovered when the U.S. Department of Defense D0D) discovered thousands of its servers had been sending military network data to China (Robertson & Riley, 2017).
Mitigation Options
Understanding why adversaries are motivated to do what they do helps to create a mitigation plan. As it currently stands, the vendor supply chain appears to be one of the weakest links in the federal government’s cybersecurity defensive program, and the Department of DoD is all too aware of that. The United States Department of Defense (DoD) relies heavily on Defense Industrial Base Sector (DIBS) companies for services that include research and development, design, production, delivery, and maintenance of military weapons systems and subsystems, and components and parts for those systems. These companies include domestic and foreign entities with production assets located around the world. This collaboration between the DoD and DIBS contractors entails the exchange of sensitive information that should not be shared publicly, and when aggregated, could be a matter of national security. Cyber threats to the DoD supply chain are growing annually with the estimated cost of losses resulting from successful cyber-attacks to the DIBS industry approaching $600 billion annually (Lopez, 2020). Identifying how information is classified by the federal government, this paper dissects the process in which controlled unclassified information (CUI), is presently protected in non-federal systems and organizations. The proposed DoD Cybersecurity Maturity Model Certification (CMMC), when fully implemented, will help to improve the protection of CUI. It will require contractors and vendors to demonstrate a minimum level of cybersecurity maturity before they can be awarded a contract with the DoD. This program is an attempt to address cybersecurity issues at the procurement level, recognizing that the lowest bidder is not always in the best interest of the federal government.
However, the human element of cybersecurity is a limiting factor to the success of any cybersecurity program because compliance with standards does not equate to the security of information. Implementing comprehensive education programs and stringent process monitoring are also important factors in creating a successful cybersecurity program. Limiting the risk of government and vendor employees falling victim to targeted attacks using phishing and social engineering tactics, will lower the risk of network penetration.
Conclusion
Securing the nation’s supply chains across all industries is paramount to national security. The disruption of the supply of goods and services could cripple the country. Digital dependency, the reliance on foreign suppliers, and the lack of consistent cybersecurity standards across industries have created a growing chasm in the protection of intellectual property and trade secrets in both the public and private sectors. Programs such as the CMMC, when implemented properly, create a mechanism for measurable accountability in the protection of data throughout the supply chain. Improving the protection of sensitive information within the industrial supply chain will not only create more stability within U.S markets, but it will also help to further secure the nation’s critical infrastructure.
References
FireEye. (2019). Advanced Persistent Threat Groups (APT Groups). Retrieved from https://www.fireeye.com/current-threats/apt-groups.html
Guidance on the North Korean Cyber Threat. (2020, May 15). Retrieved from https://us-cert.cisa.gov/ncas/alerts/aa20-106a
Lopez, C. T. (2020, January 31). DOD to Require Cybersecurity Certification in Some Contract Bids. Retrieved from https://www.defense.gov/Explore/News/Article/Article/2071434/dod-to-require-cybersecurity-certification-in-some-contract-bids/
McBride, J., & Chatzky, A. (2019). Is ‘Made in China 2025’ a Threat to Global Trade? Council on Foreign Relations. Retrieved from https://www.cfr.org/backgrounder/made-china-2025-threat-global-trade
O’Flaherty, K. (2020, January 6). The Iran Cyber Warfare Threat: Everything You Need To Know. Retrieved from https://www.forbes.com/sites/kateoflahertyuk/2020/01/06/the-iran-cyber-warfare-threat-everything-you-need-to-know/?sh=243adfd515aa
Robertson, J., & Riley, M. (2017, October 4). The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies – Bloomberg. Retrieved from https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
Setser, B. (2018, July 9). U.S.-China Trade War: How We Got Here. Retrieved from https://www.cfr.org/blog/us-china-trade-war-how-we-got-here?utm_medium=email&utm_source=dailybrief&utm_content=071118&sp_mid=56974456&sp_rid=ai5lbGxpb3QubWNicmlkZUBnbWFpbC5jb20S1