As Nation-state Hacking Becomes 'more In Your Face,' Are Supply Chains Secure?

Interview Former US Air Force cyber officer Sarah Cleveland worries about the threat of a major supply-chain attack from China or another adversarial nation. So she installed solar panels on her house: "Because what if the electric grid goes down?" 

The home solar system was Cleveland's personal answer to the question of where to begin securing against the kind of potentially destructive attacks that government agencies and intel analysts warn are on the horizon from groups like Beijing's Silk Typhoon.

Silk Typhoon is the espionage crew believed to be behind the December US Treasury intrusions. Earlier this month, Microsoft warned that the government-linked hackers are now targeting IT supply chains.

"Nation-state hacking has become more in your face," says Cleveland – who now works for network intel infosec outfit ExtraHop as its senior director of federal strategy.

"Before, it was gathering intelligence, stealing data or stealing just information, but now it has moved into manipulating systems and disrupting critical infrastructure, and we're seeing a lot of that sophistication in those attacks, for example, like with Silk Typhoon and Salt Typhoon," she tells The Register.

The latter is another Chinese government-backed group that last year broke into at least nine US telecommunications companies and government networks, and more recently was spotted exploiting unpatched Cisco devices to compromise global telecom providers and other orgs.

"What makes these attacks so insidious is that the attack surface, like critical infrastructure, has expanded and exploded just because of the way we use third-party vendors and contractors and cloud service providers," Cleveland says. "So if any of those external entities are compromised, it opens up so many avenues to cause significant damage downstream, with cascading effects."

While she doesn't expect everyone to put solar panels on their roof in response, corporations should secure their supply chains and networks now, and not wait for the government to ban tech from certain countries or mandate security measures, Cleveland adds.

"I think it's always best to take care of yourself and your company, your information, your data, rather than waiting for others to tell you what to do or threatening you with fines."

• China's Silk Typhoon, tied to US Treasury break-in, now hammers IT and govt targets
• Microsoft: Another Chinese cyberspy crew targeting US critical orgs 'as of yesterday'
• Too many software supply chain defense bibles? Boffins distill advice
• GitHub supply chain attack spills secrets from 23,000 projects

Organizations, and especially critical infrastructure owners and operators, need to be mindful of who they do business with and how they do business, she says. And, of course, not even solar panels are immune.

"Most of the inverters are manufactured in China," Cleveland acknowledges. "All that data that you use on that solar inverter goes to China." Because of this, "companies do need to invest in tools that will have a visibility and understanding of what their network is, where their data is going, and if there is infiltration," she adds.

To be fair: this could be perceived as a bit self-serving as ExtraHop provides network detection and response and gives companies the type of visibility Cleveland is describing — not that we are saying visibility, or threat detection and response, is a bad thing.

There's also things like enforcing zero-trust security policies and turning on multi-factor authentication that are equally important in combating supply-chain risks, she says.

"Companies having mature cybersecurity processes is absolutely important," Cleveland says. "Know who you're hiring, what you do with accounts, and if somebody leaves a company, how quickly could you de-provision it. Understand who gets access to what data, how that data is flowing — just having that visibility cuts down on a lot of risk." ®