U.S. intelligence agencies have begun a review of supply chain risks emanating from Russia in light of the far-reaching hacking campaign that exploited software made by SolarWinds and other vendors, a top Justice Department official said Thursday.
The review will focus on any supply chain vulnerabilities stemming from Russian companies — or U.S. companies that do business in Russia, according to John Demers, the assistant attorney general for national security.
“If there’s back-end software design and coding being done in a country where we know that they’ve used sophisticated cyber means to do intrusions into U.S. companies, then maybe … U.S. companies shouldn’t be doing work with those companies from Russia or other untrusted countries,” Demers said during a Justice Department-hosted cybersecurity conference.
Demers said that the FBI and other intelligence agencies will pass any information obtained from the review to the Commerce Department to decide if further action to exclude vendors from U.S. supply chains is warranted.
The White House has blamed Russia’s SVR foreign intelligence agency for the espionage activity, which exploited SolarWinds software and infiltrated at least nine U.S. federal agencies. The Biden administration has also sanctioned Russian technology companies for alleging supporting Russian intelligence agencies’ cyber operations. Moscow denied the allegations.
Yet the U.S. intelligence review shows that the Biden administration is still studying how future spying operations might emulate what the SVR allegedly did to exploit blind spots in the networks of U.S. software providers.
The alleged Russian hacking exposed a broad swath of U.S. government and corporate entities to infiltration. SolarWinds, a Texas-based software vendor, initially said that as many 18,000 of its clients had downloaded malicious code. The spies’ ultimate target list, however, comprised 100 companies and at least nine federal agencies, according to the White House.
U.S. officials’ concerns about supply chain exposures have only grown in recent weeks as other hacks have emerged. Codecov, a platform for reviewing code used by 29,000 organizations, revealed last month that an unknown intruder had tampered with one of its software tools.
The supply chain review appears to be authorized by a 2019 executive order issued by then-President Donald Trump, which bans U.S. telecom firms from using equipment that poses a national security threat.
While the executive order was largely seen as an attempt to further restrict access to American markets for the Chinese telecommunication firm Huawei, it can be applied to technologies from other countries. The order tasks U.S. intelligence officials with continuously assessing foreign supply chain risks, and allows for further “rules and regulations” that identify particular technologies or countries that may pose a threat.
The supply chain review draws on longstanding concerns from U.S. intelligence officials that Moscow could leverage technology from Russian vendors to spy on Americans.
The Department of Homeland Security in 2017 barred U.S. civilian agencies from using products made by antivirus firm Kaspersky, citing “ties between certain Kaspersky officials and Russian intelligence and other government agencies.” Kaspersky has denied any “inappropriate ties” with any government. The National Defense Authorization Act enacted that year expanded the scope of the ban to any third-party products embedded with Kaspersky code.
Scrubbing governments networks of Kaspersky code was far from simple as, months after the ban went into effect, some agencies struggled to track which third-party software providers used snippets of the code.