Source: Canada US
Link: Mueller Report and Supply Chain Security
Originally published by the Journal of Commerce in May 2019
Were crimes committed? Was the President saved by the inaction of his own staff? Did he stay on the right side of the law? Was there obstruction of justice? These and other serious topics are the source for heated discussions around water coolers, at your favorite bar, and other gathering places, including on-line. However, for those of us in the international trade field, it was also a reminder that information technology related to supply chain security is critically important.
The Mueller Report was some 448 pages, the first 100 or so are relevant to this discussion. The remaining pages are the source of much conjecture and debate about what is or is not in them, how they are to be interpreted and the like. The relevant outcome of the Mueller Report for us is two indictments related to hacking.
The first was filed in 2018 against Viktor Borisovich Netyksho and 11 other Russian military intelligence officers who are part of the Directive of the General Staff or GRU. It is 29 pages long and includes a lot of detail about the efforts they made to influence the outcome of the 2016 Presidential election. As has been the case in the past when the U.S. wants to send the message – we know who you are and what you are doing – the indictment includes details about the ranks and roles of the individuals, along with the unit number to which they belong, screen names they used, and when and how they staged the release of stolen documents obtained by way of cyber theft or hacking.
In this case, the targets of the hacking were Clinton campaign volunteers and employees, the Democratic Congressional Campaign Committee, and the Democratic National Committee. The method used was the most common and easiest to carry out – spear phishing – when individuals clicked the links contained in emails they received, malware was installed into computer networks which gave Russian intelligence free rein to extract whatever it wanted. They stole emails and documents, and then the involved individuals sought to cover their tracks by deleting logs and other computer files. They used false identifies and made false statements about their identities as vehicles for the leaks which followed. There were also attempts to hack state election boards and state political parties.
The allegations made boil down to conspiracy to commit an offense against the U.S. (seeking to interfere with an election), aggravated identity theft (focused on the theft of user names and passwords) and conspiracy to lauder money (having to do with the use of bitcoins).
The second indictment was brought in 2019 and involves allegations against Internet Research Agency and 15 other entities and individuals. This is the indictment dealing with election meddling by way of false social media accounts and stories. This group created political advertisements and staged political rallies in the U.S. for various causes, often being on both sides of the issue! The people involved took on false identifies beyond just fake names, and once found out, sought to destroy evidence. They claimed to be advocates of specific viewpoints, created groups seeking to cater to specific limited special interests, and did so using fake social media accounts. Again, the indictments go into some detail to “name and shame”, and again deliver the we know who you are and what you doing message!
The allegations in this indictment summarize as conspiracy to defraud the United States (by seeking to meddle in an election), conspiracy to commit wire fraud and bank fraud (using false names and false accounts), and aggravated identity theft (including the theft of the identity of real people and the use of their Social Security numbers, and the creation/use of credit cards based on fraudulent accounts).
For those interested in reading more about these cases, there is the Mueller Report itself, which can be found at https://www.justice.gov/storage/report.pdf. The indictments are U.S. v. Netyksho, et al, Case 1:18-cr-00215, and U.S. v. Internet Research Agency LLC, et al, Case No. 1:18-cr-00032; both were filed in the District Court in Washington, D.C.
These cases serve as a reminder that being smart with technology can minimize a lot of potential problems. The hacking that occurred of the Clinton campaign and the two Democratic Party institutions was possible in part because staff was not smart about what links to activate. It seems likely that security on the systems themselves needed improvement to meet basic needs, but even so, clicking on a link from a questionable source is relatively easy to sort out. Admittedly spoofing is a common occurrence, meaning the email is designed to look like it is coming from a legitimate source, but typically one can look carefully at the original sending address and realize it is not real. It is also true the “bad guys” are getting every more sophisticated, and so beside questioning the origin of the email, looking at the request and asking – does this seem a reasonable request from the sending individual? – is still the best tool to exposing spear phishing and other malicious attempts, and that does mean relying on the attention span of the recipient, and this is where supply chain security comes in.
The Customs-Trade Partnership was created post-9/11 and, to its credit, from the beginning Custom and Border Protection (CBP) knew to include an element of cybersecurity. It started with the most basic of standards – user names and passwords unique to their users, and need to know based access. The program was grounded in another basic element – accountability. It remains the case that compliance can most often be obtained by encouragement, so a proper C-TPAT program is expected to support the reporting of anything that seems questionable. Rewarding employees, even with something as basic as public acknowledgment, is a program stalwart. Now, however, CBP is recommending, and good cyber practices encourage, making sure there is accountability for abuse of the system, including improper access and tampering with or altering business data, and demands there be consequences, from discipline to termination.
Do you have a written cyber policy? Are user names and passwords individually assigned? Including to IT and Admin staff? Must passwords be regularly changed? Are default passwords changed when a new machine is brought on line, or when a system or software program is installed? Does your system protect from unauthorized access? Does your system protect against manipulation? Do you use firewalls? Do you use virus detection? Is software regularly updated? Is there an adequate consequence in the face of abuse of the system? What is the log-out process? How long is the system left open before an employee must again log-in to gain access to his/her device? Does your personnel policy clearly state that anything on the company’s system (hardware and software) belongs to the company and is subject to search/review at the company’s discretion? Does this extend to employee work spaces and telephone use? Does your system track usage, not just by employees and others with authorized access, but also external usage? Can you look at traffic volumes and identify anomalies? When fully functional and implemented, Blockchain will certainly help track document changes, but what are you able to determine now – anything?
In the meantime, we would all be well served to remind our co-workers, being smart about the technology you have and how you use it, including the social media accounts viewed, is the best way to stay protected from those who seek to do us harm, whether it is the Russians and election meddling, bad guys who want to steal our identifies and use them for their own nefarious purposes or those seeking to comprise shipments, whether by substituting cargo or stealing existing shipments.