The National Counterintelligence and Security Center (NCSC) and its partners in government and industry launched the “National Supply Chain Integrity Month” awareness campaign on April 1.
The goal of the campaign is to encourage organizations across the country not to gamble with supply chain security against foreign adversaries and other potential threats.
“Hostile nation states and other threat actors exploit supply chain vulnerabilities to steal American intellectual property, target our critical infrastructure, and compromise our cybersecurity,” said Michael Casey, NCSC Director, in a statement. “While these incidents have increased in number and severity, so has our resolve to build resilience in the supply chains we all rely upon.”
Throughout 2023, threat actors—ranging from criminal elements and ransomware gangs to sophisticated hackers sponsored by nation states—conducted high-profile cyber campaigns that resulted in costly supply chain consequences. In June 2023, the “Clop” ransomware gang conducted large-scale data-theft operations that victimized thousands of U.S. organizations and impacted tens of millions of people.
In addition, People’s Republic of China (PRC) state-sponsored cyber actors known as “Volt Typhoon” conducted extensive cyber intrusions that breached U.S. critical infrastructure. Organizations must prepare now to deal with these threats and keep ahead of potential risks.
Supply chain security has been a priority focus for public and private sector organizations seeking to enhance their resilience in the face of unpredictable supply chain shocks in recent years. These shocks are not only increasing in number but also in severity. Recent examples include the Microsoft cloud 365 breach by China-based actors identified as “Storm-0558,” which accessed the email servers of 25 organizations, including U.S. government agencies and consumer accounts in the public cloud.
For 2024, NCSC and its partners, including the U.S. Departments of Homeland Security, Defense, Energy, and Commerce, are asking organizations to bolster their Supply Chain Risk Management (SCRM) programs with an “A.C.E.” — Acquisition Security, Cyber Security, and Enterprise Security.
Incorporating A.C.E. into SCRM programs will help organizations make risk decisions that last throughout the supply chain lifecycle. When a contract partner fails to deliver on time; when a cyber breach threatens data integrity; or when an insider compromises corporate or customer information, having effective A.C.E. principles in place can help organizations better mitigate and withstand such incidents.
Throughout April, NCSC and its partners in government and industry will conduct multiple outreach events to promote supply chain integrity by spotlighting adversarial activity, sectors at risk, and ways organizations can enhance SCRM with A.C.E. principles. The events will include classified discussions within the Intelligence Community, multi-national engagements with international partners, and events with industry and public participation. NCSC also plans to publish advisories and other materials related to SCRM on its website at www.ncsc.gov and on social media platforms.
