Director of the National Counterintelligence and Security Center William Evanina weighed in on the impact of the supply chain problem on America, from an economic and intelligence standpoint, during a media session at the Symantec Government Symposium, on October 30 in Washington, D.C.
The Supply Chain Problem is Nothing New
Not much has changed, just the application of the methods, said Evanina. The impact to America is now being realized, especially the dollar value. We are starting to see that in aggregate, and we are also starting to see that as a combination where nation-state actors are starting to be less inhibited, and more aggressive in attacking our supply chain. Private industry is now making supply chain threat mitigation a big part of their corporate strategy.
Efforts From the U.S. Government to Eliminate Instances of Compromised Equipment Usage, e,g., Huawei and ZTE, in the Government Sector
The entire federal government fully understands the danger posed by Huawei and ZTE. The paradigm that we live by here in the U.S., which is that we are completely bifurcated between the government and the private sector, is not applicable in China.
Huawei and ZTE are part of the Chinese government – every business in China is part of the government, and subservient to the wishes and wants of the Ministry of State Security, and the PLA (People Liberation Army).
There’s a lot coming on the books this month, I think in November, where every single corporation in China now has to provide data to the Chinese intelligence services when asked. Imagine if we did that in the U.S., we are on a completely unlevel playing field here.
From a defensive perspective, we need to ensure that everyone understands that when you procure with Huawei and ZTE, you know what you are getting. The same thing applies with Kaspersky, a different country, but when you buy their software to install on your computer to scan for virus, you need to know who is scanning it and where they are scanning it.
If the computer you work with everyday is scanned with Kaspersky and goes back to servers in Moscow for scanning, then you should know that. Put that as a risk variable in your equation. If you are telecommuting, that is also problematic.
The other component is to have a very comprehensive program where we can create a consortium in the U.S. to compete with Huawei and ZTE. For instance, Verizon, Sprint and AT&T could corporate to create an entity that can compete with Huawei and ZTE, but in the American way.
There might be some legal changes required to accomplish some of the things mentioned, and Congress could start with certain areas.
We have very aggressive conversations with both the Senate and House, and we are working closely with Senator Warner, Senator Rubio and others, not necessarily to combat initiatives from bad actors like China, but on constructs to define what it would entail for the U.S. to have a truly public/private partnership.
To define the legal meaning of such a partnership and how to put some protections in place for the corporations from the regulatory perspective. There is an opportunity here for Congress to allow for a modernization of how we defend our country against nation states.
Issues Often go Several Subcontractors Down. Companies May not Know Their Supply Chain Travel Through Problematic Countries. How to Extricate and Unwind Business Models From Such Countries.
You can’t unwind it from a macro point, and have to start with little steps. Locate your first and second tier suppliers and start from there. Make them accountable for who they subcontract with. You don’t have to go five levels down, but deal with the first key vendor, and make them incorporate legal language in their subcontracts to protect.
Effect of Less Rigid Restrictions Around Offensive Cyber Operations on Devising Ways to Protect Supply Chain
This is a circle of life perspective, and part of the defense that we’re trying to enhance, is a good offense. In the U.S government and intelligence community, it has never been better than it is right now, but we probably have to untie the hands a little bit, and let our adversaries know they are in a game.
Right now we haven’t done that, and we’ve seen some success with some attribution that has possibly delayed some activity. At the end of the day, from an outcome-driven perspective, we need to change the behaviors of our adversaries, and that may entail being a little more offensive/aggressive.
Supply Chain Issues vs. Data Exfiltration on the Scale of Importance
They are both important issues, but I think data exfiltration is the outcome of supply chain problems. In order to exfil data out of a location, such as a computer, you need to get in first. You can get in through multiple ways, such as through spear phishing, by downloading malware, or by someone using your password, the supply chain, or an insider threat.
There are many ways to get into the computer, but the goal is to exfil data out, whether you are a competing organization or a competing nation state, it doesn’t make any difference, the goal is to get in.
Data exfiltration hasn’t slowed down in recent times, especially from an economic/espionage position. When you look at the proprietary data and trade secrets that are being stolen constantly, they don’t even make the news anymore, because they are so constant they are no longer newsworthy. This is problematic because we are becoming numb to it.
We had the GE case last month, involving a Chinese spy accessing very sensitive defense department information. From our perspective, that is a big case, because the damages will be proficient. You also have all this big cyber breaches in the Navy, Air Force, and military platforms and weapons systems. We are losing gigabytes of data to our adversaries, yet we are numb to it.
The government needs to be more transparent with talking about the damages, whether from the Iranians, Chinese, or Russians, by saying they are stealing this data, and this is the outcome.
Weighs in on Restriction of Exports to Fujian Jinhua Integrated Circuit Co Ltd by Commerce Department
We were involved in the coordination of that restriction. Nothing in China happens without the government’s permission. We can arrest people all day long here and have them plausibly say the government had nothing to with that. That is not the case in China. The intelligence community looks at it from a government perspective of a pizza pie.
The ICE and law enforcement has one slice of that, while we provide all the threat data and awareness of all that is happening into the policy framework, then you add in Treasury, Commerce and the rest, then the decision comes out to sanction, or do a policy guidance.
We want to change the behavior of our adversaries and we know that certain things work, while others don’t, so we try new things. Sanctions sometimes work, administration has their trade issues, and until we can change behaviors, we are going to have these conversations every year.
William R. Evanina is the Director of the National Counterintelligence and Security Center, an organization he has led since June 2, 2014. He serves as the head of Counterintelligence (CI) for the U.S. Government and as the principal CI and security advisor to the Director of National Intelligence.