The National Counterintelligence and Security Center (NCSC) leads counterintelligence for the national government. Among its myriad missions is securing the software supply chain.
“My directorate is certainly concerned with the supply chain of all critical infrastructure, certainly the supply chain that the IC has to source from as well,” Jeanette McMillian, assistant director of NCSC’s Supply Chain and Cyber Directorate said on Federal Monthly Insights – Securing the Supply Chain.
NCSC, part of the Office of Director of National Intelligence, is the peak of the mountain in America’s intelligence community.
“We are focused on counterintelligence threats from all spectrums, whether we’re talking about your classic espionage, as well as talking about insider threats,” McMillian said on Federal Drive with Tom Temin. “Of course, what my director does is focus on counterintelligence threats that are vectored through the supply chain that the IC has to source from as well, and how our foreign adversaries are positioned to make sure that they are executing their capabilities through our supply chain. So it is a very daunting situation out there. It is never a dull moment. But we are certainly able to get information out there to federal defenders to the critical infrastructure and also the private sector and industry that are supporting those critical missions.”
McMillian does not sugarcoat the “astronomical” threat landscape, when it comes to supply chain cybersecurity. NSCS is looking at it from a counterintelligence (CI) and security lens. Victims run the gamut: government entities, non-profit organizations, even your run-of-the-mill user.
“From an NCSC standpoint, from a CI and security standpoint, we really want to know why. Why did something happen and how that software was being used to exploit. What was it that they were trying to get after from the foreign-adversary standpoint? Were they after data? Were they after information? Were they after customers, users or anything that was going to disrupt your mission set?” McMillian said.
So although all victims want to get the threat actor out of their environment as quickly and effectively as possible, NCSC also wants those victims, and NCSC itself, to really understand why the cyberattack took place.
Then there is the question of where an entity procures its software. There are four basic categories: software you figuratively buy off-the-shelf and install, online software-as-a-service from the cloud, software coded for an entity via a contract, and increasingly there are coding operations in the government itself.
“I believe the National Institute of Standards and Technology has certainly put together a wonderful framework called the Secure Software Development Framework,” McMillian said. “And no matter where you’re getting your software in any one of those four buckets, you want to make sure that that software is being developed in a secure environment; not only that it’s operating the way it’s intended to, but it’s also only received access from those authorized developers, and that those developers understand the security that they need to deliver to you, the end user.”
McMillian also pointed out that software is developed for certain functions and those functions are not the same. Anti-virus software has to be intimately involved in all parts of a network. Word processing software, on the other hand, does not have to be as “intimately involved.”
“So when you’re picking and choosing your software, you want to make sure that the security goes along with the function, goes along with the criticality and how you want that piece of software to operate securely in your network,” McMillian said.
“There’s risk everywhere, especially when we’re talking about the software supply chain,” she added.