Question: Is there anything we can learn from the past to protect U.S. critical infrastructure and National Security Systems?
Answer: Yes – In March of 1985, Dan Rather, CBS News, reported that “the American embassy in Moscow was victim to a sophisticated electronic spy operation which gave Soviet leaders an inside look at what U.S. diplomats were doing and planning.” It was reported that “Soviet agents [had] secretly installed tiny sensing devices in embassy typewriters [that] picked up the content of the documents typed…and transmitted them by antennas hidden in the embassy walls”.
This supply chain attack, which U.S. officials estimated lasted from 1976 to 1984, marked a new level of electromechanical and technological sophistication for the Soviets, and our enemies. Prior to the discovery, the U.S. believed that audio bugs, microphones and listening devices were the sole tactics used for technical eavesdropping.
The origins of this attack stem from supply chain risks of Soviet policy and poor U.S shipping standards. To build an embassy in Moscow, the U.S, signed the 1972 Conditions of Construction Agreement, which, was reciprocal for the Soviet Embassy in the U.S. The conditions were that site work, foundation and structure of the embassies were built by the host country with its materials and other systems built using host country workers under the owner’s supervision with few exceptions. It is unclear whether more forceful negotiations could have shifted Soviet position towards a favorable U.S. agreement, as the U.S. was unable to rebuild the Embassy until after the fall of the Soviet Union. In 1992, the Russian Federation allowed the U.S. to construct a new building using American workers and materials. Congress appropriated $240M in both Fiscal Year 1992 and 1993 towards this endeavor.
Additionally, the U.S shipped embassy typewriters as ordinary mail not stored in diplomatic pouches with tamper proof tape. This meant that Soviet customs assumed control of the typewriters prior to arriving at the embassy with little U.S. oversight. As a result, the Soviet Intelligence Service was able to insert compromised typewriters and other technical devices into the U.S.’s communication supply chain.
The case of the embassy compromise served as a primer for the U.S. to better understand and secure its facilities and information systems. This understanding, in part, ranges from the end-to-end supply chain, which includes design, manufacturing, source selection, acquisition, testing, deployment and, product disposal. In today’s environment, technical networks, critical infrastructures, classified systems and, weapon systems are all interconnected with disparate information systems and agency requirements making understanding the end to end hardware, software, and firmware supply chains extremely complex. It is imperative for the U.S. to continue to learn from its mistakes during the Cold War to drive innovation and policy towards supply chain security, as it has done in the recent years.
Interos Solutions provides its public and private sector clients with supply chain risk management and cyber security capabilities. These capabilities utilize Interos’ expertise to provide our clients with oversight over their supply chain via analysis, vendor management and supplier audits. Our aim is to increase productivity and security for our valued clients. Please contact us with any questions about our expert services.