Supply-Chain Attacks: Why the U.S. Should Worry:
There are different types of supply-chain attacks: generic attacks, which attempt to sabotage all devices; and targeted attacks, which take advantage of knowing the end customer for a device. Additionally, supply-chain attacks on the software component can take place not only when a device is shipped but also whenever the software receives an update. There are also information-gathering supply-chain attacks in which a cloud service provider reveals data.
…
The U.S. government needs to take supply-chain attacks much more seriously and refine government purchasing in ways that resist these attacks. Some attacks-such as bulk sabotage of consumer chips or devices-are probably unavoidable. But wide-ranging attacks like these can cause only limited amounts of damage, because, unless they are particularly subtle, they are more likely to be detected.
(Via Lawfare - Hard National Security Choices)
Why supply chain isn't a bigger discussion when discussing security boggles my mind. Every company and organization - and individual - is vulnerable.
Also on: