A new report from a U.S. counterintelligence agency details persistent efforts by China, Iran, and Russia to steal U.S. trade secrets, warns that those campaigns are here to stay and raises concerns about the software supply chain as a vector for economic espionage.
China, Iran, and Russia are “three of the most capable and active cyber actors tied to economic espionage,” and they will “remain aggressive and capable collectors of sensitive U.S. economic information and technologies, particularly in cyberspace,” states the report released Thursday by the National Counterintelligence and Security Center (NCSC).
Last year was a “watershed” year in public reporting of big software supply-chain operations, with seven incidents reported compared to just four between 2014 and 2016, according to the NCSC, which is part of the Office of the Director of National Intelligence. The counterintelligence agency cites the seminal NotPetya attack, which U.S. officials blamed on Moscow, and the CCleaner backdoor, which infected 2.2 million customers, as evidence.
“Software supply chain infiltration already threatens the critical infrastructure sector and is poised to threaten other sectors,” the report states.
At a press briefing Thursday, NCSC Director William Evanina drove the point home by saying, “We are not prepared as a nation to deal with the supply chain threat holistically.”
Evanina, the top U.S. counterintelligence official, said that China had not been honoring a 2015 agreement between then-President Barack Obama and Chinese President Xi Jinping to refrain from economic cyber-espionage. He pointed to multiple Justice Department indictments of Chinese nationals in the last few years for allegedly stealing U.S. intellectual property.
The Chinese, Iranian, and Russian governments have in the past denied accusations that they use cyberspace to carry out theft from the private sector. For their part, U.S. officials have long contended that, unlike its adversaries, the United States does not conduct such operations.
The 20-page report, which offers a snapshot of the U.S. intelligence community’s views on economic espionage, comes as American lawmakers rail against the national security risk posed by foreign tech companies linked with adversarial governments.
Legislators have pushed, with varying success, to require that U.S. supply chains be rid of Moscow-based Kaspersky Lab and Chinese telecoms Huawei and ZTE. The Department of Homeland Security last year required all civilian agencies to remove Kaspersky products from their networks. However, a measure that would have reinstated a ban on ZTE from buying U.S. components was left out of Congress’s annual defense policy bill.
Of the three companies, the NCSC report only mentions Kaspersky by name. But its message is clear: “These companies provide valuable services that often require access to the physical and logical control points of the computers and networks they support.”
At the briefing, Evanina called out Huawei, ZTE, and Kaspersky, describing them as purveyors of access to U.S. supply chains.
To help address the spying concerns, Kaspersky announced in May that it was moving some of its operations to Switzerland. In an interview last month with CyberScoop, Evanina dismissed the move as having no effect on how the U.S. government approaches the alleged threat from the Russian antivirus vendor.
Russia has in recent years “dramatically increased its demand for source code reviews for foreign technology being sold inside the country,” according to the NCSC report.
The NCSC report also raises concerns about popular technological advances like artificial intelligence and the Internet of Things, which the agency worries “will introduce new vulnerabilities to U.S. networks for which the cybersecurity community remains largely unprepared.”