National Intelligence Estimate 2009 Global Cyber Threat – Supply Chain Excerpts

SECRET//REL TO USA, AUS, CAN, GBR, NZL SECRET//REL TO USA, AUS, CAN, GBR, NZL The Global Cyber Threat to the US Information Infrastructure (U) NIE 2009-03 REL FVEY May 2009 SECRET//REL USA, AUS,NZL CAN, GBR, NZL SECRET//REL TO USA, AUS,TO CAN, GBR,

SECRET//REL TO USA, AUS, CAN, GBR, NZL US classified networks occasionally have been infected with malicious software over the years through the use of removable memory devices such as thumb drives or the forwarding of e-mail from unclassified to classified networks. As we have increased monitoring of US classified systems we have detected increased incidents of infection, but it is unclear whether this indicates a growing number of penetrations or merely increased observation of an ongoing problem. We also are uncertain whether any of these infections were intentional or if they occurred by accident. • We assess with moderate confidence that adversaries probably will begin to adopt more resource-intensive tactics, such as taking advantage of insiders or introducing cyber attack vulnerabilities during the manufacturing stage of network hardware and software in the increasingly global supply chain, in order to counter the adoption of additional security techniques on targeted classified networks. (S//REL) We assess with high confidence that Russia and China pose the greatest cyber threats due to their strategic interests and capabilities to target and disrupt elements of US and allied information infrastructures. • Russia has a robust, multi-disciplinary computer network operations program with proven access and tradecraft and can conduct the full scope of operations, including computer network exploitation, computer network attack, insider-enabled operations, and supply-chain operations. • China has become the most active foreign sponsor of computer network intrusion activity discovered against US networks but has not demonstrated the sophistication or range of capabilities of Russia. We assess with high confidence that Beijing has dramatically expanded its level of effort in computer network operations over the past five years and that China’s state-sponsored information operations capabilities will continue to grow. Chinese cyber efforts include insider access, close access, remote access, and probably supply chain operations. Intrusion activity that we assess is probably sponsored by the People’s Liberation Army has targeted US military and diplomatic organizations, defense 6 SECRET//REL TO USA, AUS, CAN, GBR, NZL

SECRET//REL TO USA, AUS, CAN, GBR, NZL contractors, and companies and government organizations involved in deals of significance to Chinese industry. (S//REL) We assess with high confidence that the increasing role of international companies and 7 SECRET//REL TO USA, AUS, CAN, GBR, NZL

SECRET//REL TO USA, AUS, CAN, GBR, NZL Confidence Levels for Key Judgments (U) High Confidence (U) • Almost all current and potential adversaries now have the capability to exploit and, in some cases, attack unclassified access-controlled US and allied information systems via remote penetration from the Internet. An increasing number of actors are seeking the capability to target the telecommunications system, secure systems, supply chains, and other components of the US information infrastructure. • • Russia and China pose the greatest cyber threats due to their strategic interests and capabilities to target and disrupt elements of US and allied information infrastructures. • The increasing role of international companies and foreign individuals in US information technology supply chains and services will increase the potential for persistent, stealthy subversions. • Moderate Confidence (U) • Adversaries probably will begin to adopt more resource-intensive tactics, such as taking advantage of insiders or introducing cyber attack vulnerabilities during the manufacturing stage of network hardware and software in the increasingly global supply chain, in order to counter the adoption of additional security techniques on targeted classified networks. • (S//REL) Low Confidence (U) • (S//REL) 11 SECRET//REL TO USA, AUS, CAN, GBR, NZL

SECRET//REL TO USA, AUS, CAN, GBR, NZL Cyber Supply Chain Threat Defies Easy Solution (U) We assess with high confidence that the increasing role of international companies and foreign individuals involved in US information technology supply chains and services will increase the potential for persistent, stealthy subversions over the course of this Estimate. While foreign intelligence and military services are most likely to conduct supply chain operations, international terrorist and criminal groups or even companies engaged in industrial espionage could carry out such operations as well. • • • Exclusion of foreign software and hardware components and products from sensitive networks and applications is already extremely difficult and will become more so as fully USmanufactured substitutes become increasingly scarce and US providers of cyber security products and services are acquired by foreign firms. • Even if a successful exclusion policy could be implemented, opportunities for subversion would still exist through the use of front companies in the United States and adversary use of insider access in US companies. (S//REL) In the event of a supply chain attack during a national crisis or wartime, US organizations may not have the means or the time to ascertain the trustworthiness of backup equipment and data. (S//REL) 19 SECRET//REL TO USA, AUS, CAN, GBR, NZL

SECRET//REL TO USA, AUS, CAN, GBR, NZL Why Don’t We See More Supply Chain Operations? (S//REL) Considerable uncertainty overshadows our assessment of the threat posed by supply chain operations. Intelligence reporting provides only limited information on efforts to compromise supply chains, in large part because we do not have the access or technology in place necessary for reliable detection of such operations. This intelligence challenge is compounded by the unwillingness of victims and investigating agencies to report incidents. Many types of supply chain operations tend to be difficult and resource-intensive, however, and thus may not occur as often as the vulnerabilities of US systems might allow. (S//REL) 20 SECRET//REL TO USA, AUS, CAN, GBR, NZL

SECRET//REL TO USA, AUS, CAN, GBR, NZL Threats to Electronic Voting (U) On balance, we judge the threats of electronic vote tampering to be similar to those from traditional efforts to manipulate election results. Electronic voting machines are subject to many of the same vulnerabilities as other computers, such as software vulnerabilities, insider access, and supply chain threats, and numerous academic and government security examinations in the United States and other countries have discovered vulnerabilities in voting systems. We are unaware, however, of any attempts to use cyber attacks to affect US elections. • The identification and exploitation of vulnerabilities in computerized voting systems by foreign cyber actors could undermine US democracy promotion efforts and support for proUS opposition political parties abroad. (S//REL) 31 SECRET//REL TO USA, AUS, CAN, GBR, NZL

SECRET//REL TO USA, AUS, CAN, GBR, NZL Influence of Technology Trends on Offense and Defense (U//FOUO) Trends Tradeoffs Beneficiary Network Convergence • Convergence of telecommunications and Internet driven by economics. • Depending on implementation, particularly of signaling system, could leave telecommunications infrastructure vulnerable as Internet is today. Offense strongly Legacy Drag • Expense of upgrading infrastructure hardware forces defense to work with old, less secure legacy equipment. • Forces designers to include backward compatibility, increasing chances that new equipment will inherit old vulnerabilities. • Defense seeks to avoid this through use of wireless infrastructure, creating new problems. Offense strongly Interconnectivity • Offense has easier access to critical data, applications, and infrastructure. • Pervasive digital sensors provide offense the potential to subvert more critical systems, with greater potential for causing physical effects virtually. Offense strongly Wireless Communications • Solves access problem for offense unless robust, secure, reliable protocols can be established. Offense strongly Unvetted Supply Sources • As supply chains, particularly in the design phase, become more international, establishing trustworthiness of supply source more difficult. Offense strongly Programmable Hardware • Allows defense to update or make real-time adjustments to hardware functionality, but software attacks could subvert hardware. Offense strongly Ubiquitous Media • Use of common media such as USB drives on many types of devices and hardware creates a common vector for attack and data exfiltration. Offense strongly Device Convergence • Small, portable, more powerful devices will be more attractive target. • Information associated with some device functions—sound, vision, and navigation—could be collected, used against owner. • Increasing power of devices will allow for security improvements, including callhome, encryption. Offense slightly Complexity • More difficult for defense to build secure hardware and software. • Defense must “get it all right;” offense needs find only one flaw. • More difficult for offense to identify targets or reverse-engineer. Offense slightly Higher Bandwidth • More data to collect but harder for offense to pinpoint its desired target. Neutral Outsourced Processing, Storage, and Security • Systems used by defense to manage distributed processes and data will be new, potentially lucrative target, but centralized facilities could be protected. • Security as a service could increase security from intruders and obfuscate storage, but is dependent upon secure implementation and extends data access to insiders at outsourced services companies. Defense Slightly Virtualization • Decreased risk to actual data and operating system. • Technology can also be applied to hide malicious files from the operating system, and virtualization applications could have their own vulnerabilities. Defense slightly Stateful security • Techniques such as Deep Packet Inspection could improve defenders’ ability to find compromises of computer as they occur. • Fiber optic communications make intercept more difficult, present significant targeting and volume problems for offense. Defense slightly Defense strongly • Best defense to protect data, authenticate processes, particularly if includes hardware, multifactor authentication, and biometrics. • Offense will need to subvert people, supply chains, or implementation. • Can reduce the ability of defenders to conduct traffic analysis and inspection. Defense very strongly Optical Communications Cryptography This table is UNCLASSIFIED//FOR OFFICIAL USE ONLY. 34 SECRET//REL TO USA, AUS, CAN, GBR, NZL

SECRET//REL TO USA, AUS, CAN, GBR, NZL Outside Reviewers’ Comments (U) Dr. (U) (Continued on next page) (Continued…) Outside Reviewers’ Comments (U) 45 SECRET//REL TO USA, AUS, CAN, GBR, NZL

SECRET//REL TO USA, AUS, CAN, GBR, NZL This NIE properly summarizes our knowledge and inferences on the cybersecurity threat. However, it may underestimate the vulnerability of our classified networks. A reasonable person may assume that any cyber operation the United States can perform against peer or near-peer countries, such as Russia or China, those countries could potentially perform against us. To the extent that we are successful in such operations, we should assume—absent compelling evidence to the contrary—that others may well have been successful against us. (S//REL) Also, while the NIE properly identifies the insider threat as the major cyber threat, the Chinese supply chain may require additional consideration. The deep influence of the Chinese government on their electronics manufacturers, the increasing complexity and sophistication of these products, and their pervasive presence in global communications networks increases the likelihood of the subtle compromise—perhaps a systemic but deniable compromise—of these products. (S//REL) Finally, it should be noted that even as our own computer network offensive capabilities are better developed than our network defense capabilities, the same may be true of our adversaries. Efforts to share information between offensive, defensive, and analytical cyber organizations should be encouraged to more fully inform the latter organizations of the magnitude of the potential threat. (S//REL) 46 SECRET//REL TO USA, AUS, CAN, GBR, NZL