There are different types of supply-chain attacks: generic attacks, which attempt to sabotage all devices; and targeted attacks, which take advantage of knowing the end customer for a device. Additionally, supply-chain attacks on the software component can take place not only when a device is shipped but also whenever the software receives an update. There are also information-gathering supply-chain attacks in which a cloud service provider reveals data.
The U.S. government needs to take supply-chain attacks much more seriously and refine government purchasing in ways that resist these attacks. Some attacks—such as bulk sabotage of consumer chips or devices—are probably unavoidable. But wide-ranging attacks like these can cause only limited amounts of damage, because, unless they are particularly subtle, they are more likely to be detected.
Why supply chain isn’t a bigger discussion when discussing security boggles my mind. Every company and organization – and individual – is vulnerable.