ArchiveOODA Original

Global IT Supply Chain Security – The U.S. Needs to Step Up Its Game

According to a recent article from the New York Times, Microsoft officials warned that Russia’s intelligence apparatus has been engaged in another campaign to gain unauthorized access into thousands of U.S. government, corporate, and think tank networks. The ongoing cyber-espionage campaign appears to be focused on acquiring data that is stored in the cloud. According to the Times, Microsoft has not provided any additional information regarding the campaign, though it did indicate that the number of successful breaches was “small.” Nevertheless, the activity further underscores Russia’s intent to target and compromise any entity that it feels vital to supporting its intelligence interests. The target list may be expansive, as a recent Microsoft report claimed more than half of nation-state attacks detected by the company have come from Russia.

Microsoft believes that the campaign is orchestrated by Russia’s Foreign Intelligence Service (SVR) the entity attributed to executing the SolarWinds attack that was discovered in late 2020 and which potentially impacted several thousand customers (including U.S. government organizations and Fortune 500 companies). Many consider the attack one of the most sophisticated in history, shedding intense light on a well-known security problem that has often gone overlooked – the preservation of the global IT supply chain integrity. In addition to the SolarWinds compromise, the SVR was one of two Russian intelligence services identified in malicious activity directed against the Democratic National Committee, and the larger 2016 U.S. presidential elections. Russia’s cyber units have been attributed to conduct a wide variety of cyber-enabled operations to include disinformation, propaganda dissemination, and disruptive/destructive cyberattacks in addition to cyber espionage.

What is noteworthy is that this latest round of cyber theft comes on the heels of the White House levying sanctions against Russia for conducting similar global cyber espionage operations. While Russia has denied any involvement in the SolarWinds breach, in the past Russian intelligence officers have been held accountable for similar cyber malfeasance. In October 2020, for example, the U.S. Department of Justice indicted six Russian Main Intelligence Directorate intelligence officers and two Federal Security Service officers in 2018. Cyber espionage for the purposes of stealing data or sustaining unauthorized access on compromised networks for further exploitation is the trademark of Russia’s cyber units.

As for the recent campaign reported on by the Times, Russian cyber operators appear focused on the IT supply chain as a point of entry into organizations of interest. In addition to at least 14 cloud service providers breached, SVR attackers also targeted 140 managed service providers, with more than 600 Microsoft customers impacted since July. What is more, the operators executed repeated attacks against the same targets, indicating that these unidentified entities were important for compromise and exfiltration. Based on the SolarWinds incident, and the recent attacks against these companies, Russian cyber units understand that compromises against the global IT supply chain may be difficult to achieve but potentially yield huge rewards, if successful, with expansive reach.

The United States – as well as the rest of the world – realizes that the protection of the IT supply chain is essential to protecting and ensuring national security. In May 2021, Biden issued an Executive Order (EO) on Improving the Nation’s Cybersecurity, a part of which addressed the need to enhance software supply chain security. The EO charged the National Institute of Standards and Technology (NIST) to get input from a variety of government and non-government entities to identify and/or develop new standards to bolster the IT supply chain security environment. NIST has often been an important stakeholder when it comes to cybersecurity standards. However, while federal government entities may be mandated to comply with NIST guidelines, the private sector is a different matter, and given that the software supply chain is dominated by the private sector, it will remain up to it to decide how it operates and to what degree it addresses IT supply chain vulnerabilities. In the meantime, Russian operations against the global IT supply chain continue.

While the EO is a credible attempt to look at the software supply chain issue holistically, any impact is not to be felt for quite some time. In the wake of the recent Microsoft report of continued Russian supply chain operations, Russia has not been persuaded to curb its activities despite already being sanctioned for its alleged involvement in the SolarWinds incident. In fact, if Microsoft reporting is true, Russia continued IT supply chain attacks after being sanctioned, a clear sign that Moscow intends to relentlessly test U.S. President Biden’s resolve. Biden came into office with promises of getting tough on Russia, a promise that has yet to materialize, and as such, there is no indication that Russia will abate its activities despite all the White House’s pomp and rhetoric.

Ensuring the integrity of IT supply chain security requires a two-pronged effort that starts at the top. The EO addresses one part by identifying the problem and getting the right organizations to start to develop standards and guidelines and creating milestones for implementation. But this will require a public-private partnership that is more than words and platitudes and is able to transcend presidential administrations. Such endeavors require setting achievable goals that mark progress and show accountability.

The second part is more difficult because it involves the development of a strategy to influence state actors to alter their perception of the benefit of such attacks, increasing their cost to a degree that it proves too expensive in time, money, resources, and/or political/economic consequence in which to engage in them. Such a strategy is only as credible as the leader to which it is tied. Getting international stakeholders on board is a good step, but the United States needs to be leading that effort at the tip of the spear rather than be content to be just part of the group. Unfortunately, the more Biden stays comfortable in a supportive role, the more unlikely Russia will feel the pressure to change its habits.

Words may matter but only when they articulate meaningful consequences that are matched by action. Saying that Vladimir Putin has “no soul” does not carry the same weight as a combination of crippling economic sanctions, aggressive diplomatic policy, and the use of international partnerships to keep pressure on Russia for its cyber malfeasance. When it comes to IT supply chain integrity, there is little room for missteps, as critical infrastructures, government, and corporate operations rely on this technology. It behooves the administration to spend less time grandstanding and more time building a solution that finally gets IT supply chain security right.

Opportunities for Advantage

All of this exponential disruption means we must make focused efforts to gain advantage. Stay informed on a variety of these critical issues at and during our monthly OODA Network meetings and Salons.


Become A Member

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.