Amid concern that the Chinese government has infected the U.S. supply chain, a new Pentagon report says that the cybersecurity industry has not paid enough attention to protecting a foundational sector.
Most cybersecurity research is focused on cloud services, data management and other types of information systems, but security of the manufacturing industry’s supply chain has been overlooked, according to the Oct. 5 report.
“Cybersecurity has not become an ingrained norm in manufacturing, especially in small and medium-sized manufacturers,” the report said. If these issues are not addressed, the American industrial base faces even more vulnerabilities and a “substantial reduction in the number of suppliers compliant with requirements and thereby eligible to provide products and services to [the Department of Defense],” the report warned.
The 146-page report said that the vulnerability in the American manufacturing supply chain was spurred by the “infinite number of touch points” in each component, all of which could be exploited or corrupted.
The report was clear about one party believed responsible for exploiting supply chain risks in the manufacturing sector and defense industrial base. “China” is referenced 100 times in the body of the report, and is accused throughout of pilfering trade secrets and sensitive material.
Beijing “is increasingly dominating downstream value-added materials processing and associated manufacturing supply chains, both in China and increasingly in other countries,” the report said. It added that the “systemic theft of U.S. weapons systems” and forced transfer of duel-use technology “has eroded the military balance between the U.S. and China."
The report comes amid a notable rise in tension between the United States and China, and a flurry of reports suggesting that Beijing may be pilfering some of America’s most closely guarded secrets.
In early 2018, China hacked a contractor working for the Naval Undersea Warfare Center and stole more than 614 gigabytes of data, according to a report in the Washington Post.
Bloomberg reported Oct. 4 that China had infected products sold by nearly 30 firms, including Apple and Amazon, with compromised microchips. Both companies, as well as microchip manufacturer Super Micro Computer Inc., have denied the report. The Department of Homeland Security said in a statement they have “no reason to doubt the statements from the companies named in the story.”
The Chinese government denied reporting in the Bloomberg article. There did not appear to be a response from China yet to the Pentagon report; however, worries about potential supply chain breaches persist.
“The average consumer does not really understand that technologies may be sharing information to Russia, China or North Korea,” said Jennifer Bisceglie, head of Interos Solutions, a company that maps supply chain ecosystems.
“The recent Bloomberg story illustrates this exact scenario — whether it was true or not — where a Chinese chip company owned by the Chinese military could implant a sleeping chip into a board that ended up in thousands of servers inside some really big American companies.”
She said that industry standards do not secure the supply chain because they just tell bad actors how to mask themselves from detection. Instead, she argued for visualizing the origin and distribution of third-party components to see exactly who they are connected to.
“Once a business understands who and where they are sourcing from, they might change who they partner with,” Bisceglie told Fifth Domain.
On average, 51 percent of shipments to the top seven information technology suppliers originate in China, according to an April 2018 report from Interos Solutions.
Recognizing the ongoing need for threat mitigation, the U.S. government is taking action to secure products it uses.
For example, products from Kaspersky Labs, which makes antivirus software, are banned inside the federal government because of fears data can be swiped by the Russian government.
Fifth Domain also reported in August that millions of Android devices, potentially including those of government officials, were vulnerable to being taken over by hackers because of a software flaw. DHS researchers notified manufacturers of the issues.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.