Assessing Supply Chain Geopolitical Risk
ACM.179 Where does the company in your supply chain build, test, and sell their products?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: Multi-Cloud Security | Data Breaches
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Part of my series on Automating Cybersecurity Metrics. Also Data Breaches and Network Security.
Free Content on Jobs in Cybersecurity | Sign up for the Email List
In the last post, I let you know that I’m busy, but my brain won’t let me stop thinking about things I want to write about and this one has been on my mind for some time. I’ve been assessing Okta and one thing we need to consider are the people and their affiliations. This is related to the laws that exist in certain countries, espionage, cyber attacks, and government actions, not where people are born. No one controls where they are born and where you are born doesn’t define who you are as a person.
This topic came to the forefront of my mind again due to the fact that I noticed a lot of private equity firms are taking publicly traded cybersecurity companies private. When a private equity firm takes over a company they will most certainly make changes to the organization’s leadership. They may also sell off parts of the company to other parties or change business relationships.
I was also reminded of a company controlled by a company controlled by a private equity firm that tests firewall products in China when I noticed this trend. It is important to understand the related risks outlined below and any shifts in business relationships or hiring practices as new ownership comes into the picture. One of the risks has to do with where companies build, test, and sell their products.
Where are the threat actors?
Most cybersecurity professionals know this already. Major threat actors that attack the United States are based in certain countries, supported by the governments in those countries. You may think that because you only buy from companies headquartered in the US that these threats do not apply to you. But is that correct? Let’s dive a bit deeper.
There are cybersecurity organizations like MITRE that track these organizations. MITRE is a US not-for-profit organization based in Bedford, Massachusetts, and McLean, Virginia established to provide engineering and technical guidance to the federal government.
MITRE has a list of these threat actor groups that tracks where they are located, their primary objectives, targets, and the TTPs (tactics, techniques, and procedures) they leverage.
https://attack.mitre.org/groups/
When you click on one of the groups you can see examples of the techniques they have used to carry out attacks.
https://attack.mitre.org/groups/G0005/
If you peruse the list above, you will see that certain country names appear more often in the list than others. It is pretty obvious how these threat actors align with countries that are or are not in support of the Russian invasion of Ukraine. It would be naive to think that doing business in such countries poses no risk to US companies based on the activities above if threat actors in those countries supported by their government are targeting US citizens and companies with malware.
How Chinese laws introduce risk
Here are some of the risks introduced by Chinese laws related to cybersecurity and technology. If you do business in China or hire Chinese citizens these laws may affect you. The same applies to your vendors — and their vendors.
Companies in China are required by law to give information to the Chinese government, if it asks for it.
Chinese law may require Chinese citizens to carry out espionage for the Chinese government. This may be regardless of where they live and whether or not they actually want to do so.
A newer Chinese data security law from 2020 creates even more risk for companies buying Chinese products because China can force them to install backdoors according to this report.
These laws may be used to compel Chinese firms to provide Beijing with data, encryption keys and other technical information, as well as to install “backdoors” or “bugdoors” (a backdoor that masks itself as a computer “bug”) in equipment which create security flaws vulnerable to exploitation by Chinese entities.
Not only that, the law requires anyone who finds a vulnerability in a product in China to tell the Chinese government first. I wrote about that here:
Alibaba was punished for not doing so when exposing the Log4J flaw.
What if the engineer had exposed the flaw to the Chinese government first. What do you think the threat actors in the above list would have done with that flaw?
They would have almost certainly used it to carry out the activities they have carried out using other exploits in the above list.
All countries are involved in espionage — protect yourself.
By the way, all countries undertake espionage to protect themselves. The goal here is to defend our systems, not to point fingers at other countries.
For more on espionage around the world check out the books I reviewed here on cyber spying and attacks:
https://medium.com/cloud-security/cybersecurity-book-reviews/home
There were many concerns about a Chinese spy balloon flying over the US while at the same time, companies fail to implement appropriate cybersecurity controls. I wrote about that here:
This post addresses risk associated with purchasing products or services that give foreign governments access to our systems and data. You should be aware of this risk, assess and choose appropriate vendors, and create appropriate agreements (contracts) with those vendors.
What if a company tests its products in China?
Given the above laws, what if a company building a firewall product tests its product in China? Let’s say a QA engineer in China finds a vulnerability that could be used to exploit that product and gain access to the environments of companies that use that product?
Would they have to report the vulnerability to the Chinese government before the company for whom they are working?
The law appears to suggest that is the case.
That said, do you know where your the products and services you use are developed and tested? Because if your products have an exploit that an adversarial government is aware of, it could be used to access your systems and data.
A straightforward approach to see where the products you buy are built and tested would be to check the careers page published by that company.
Here’s an easy way to find out if the company from whom you buy products or services hires Chinese citizens in China as employees.
You may be able to search by location or job type. One search for jobs offered by a firewall vendor yields the following:
If you cross-reference Chengdu China you can see that it comes up on our list of threat actors above.
It seems that the Chinese government has some sort of cybersecurity attack hub in Chengdu. We can find more evidence of this in the indictment by the US government of seven individuals at least partially based out of Chengdu and associated with the Chinese government.
Later Wired published a report on a CVE exploited by Russian threat actors related to one of that company’s products. What are the chances that information from Chengdu somehow made its way to Russia? I don’t know. But given the alignments of global powers in the world, it does make one wonder.
What if the company does not advertise the job postings so blatantly or has hired nationals of other adversarial companies?
Search for the following terms in Google:
- [company name] QA engineer [country]
- [company name] engineer [country]
- [company name] software developer [country]
- [company name] application developer [country]
See what comes up.
For example, I have been assessing Okta. I look on the Okta job listings and do not see countries that concern me listed for QA or software engineers.
However, I do find some interesting listings with the searches above. That said, I cannot judge the results too much. I would need to ask the company more questions to understand the risks associated with those search results.
Again, I am not concerned about people’s nationality — I am concerned about people subject to foreign laws or actively working with foreign governments to harm US systems, individuals, and companies. There’s a difference.
You may think that your coworker is a really nice person, but that does not rule out the fact that they may be up to something nefarious. I heard someone say that Edward Snowden asked a coworker to borrow credentials and the coworker complied because he was a really nice guy. Regardless of what you think of his actions, I hope you get the point.
Indirect hiring
Some companies may not directly hire foreign nationals in risky countries, but they may outsource work to people in or from those countries through third-party vendors. Those types of arrangements will not be apparent in job listings.
For those scenarios you would need to understand the contracts the company has with other vendors and who those vendors hire. That can be complicated to figure out.
If you have concerns you may be able to arrange a contract that stipulates the rules you want the company to follow if they want you to buy their products or services. If they cannot sign a legally binding contract that ensures that the company and any of it’s subcontractors are not nationals of certain countries, then the risk likely exists — but ask your lawyer for concrete legal advice on that point.
You may be able to search online and glean some information about vendor relationships, but chances are companies have signed contracts with agreements not to disclose certain relationships.
Additionally, you may be able to do some OSINT (open-source intelligence) work in other ways to find contractors who have worked indirectly for the company, and their country of origin.
Remember that some people may have no affiliation with the government where they were born. They may just be trying to earn a living. We cannot assume that everyone born in a particular country is a spy — or that they are not. OSINT gives some indication but not the whole story.
Doing business in other countries
What is the risk of doing business in other countries? In the case of developing and deploying a cloud platform the risk is definitely increased. By deploying all your software and systems in another country it will be easier for that country to infiltrate your organization with those who are reverse-engineering and potentially stealing trade secrets.
As already mentioned, if those people working for your country in that region are able to find any vulnerabilities, they must first be reported to the Chinese government. If you use the same technology around the world, the groups mentioned above may now have a way to exploit anyone using the cloud platform.
I once spoke with an executive at AWS who said that certain regions are fully segregated, with different technology, because they are considered hostile environments. That said, there is certainly software deployed to all environments. I also experienced a scenario where my yum updates on AWS got directed to China. Hopefully that is now fixed to remain in the appropriate region.
Cloud providers need to stay ever vigilant of potential threats due to risk associated with providing their services in other countries where government-sponsored threat actors exist. That said, cloud providers may also be able to gather useful information by operating in those environments.
AWS and Azure cloud platforms exist in China.
Google has declined to operate in China because the Chinese government wanted to control certain aspects of the platform and data.
The initiative would have allowed Google to set up cloud services controlled by a third party, such as a locally owned company or a government agency.
For now, Google Cloud Platform may not be exposed in China, but that doesn’t mean it is not exposed in other ways. Do your homework to understand all the complex relationships that exist and talk to the vendor about their hiring practices.
Supply chain risks are tricky. When assessing vendors, consider all the ways in which various relationships may put your systems at risk. I addressed support teams in another post. Okta was using third-party support teams who assisted with password resets.
In another post I wrote about how I considered incorporating a TPM into a firewall product for use with the cloud. One of the considerations would be who generates the keys? Who has the public key associated with the product. If it is generated somehow during the manufacturing process, that could lead to a man in the middle attack.
I explained how a man in the middle attack would work with a public private key pair in this post, if you are not familiar with that concept:
If you are considering using a security product that is going to host or have access to critical systems and data, or protect your network, the above information should be leveraged to formulate assessment questionnaires and contracts.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab