Students of the Target credit card breach may remember that access to Target’s POS system started with a security breach/hole at a small refrigeration contractor saving money on its antivirus software.
“Hackers Find a Way In,” Wall Street Journal, September 18, 2014 A3. Transportation companies working with the US military were breached at least 20 times last year, and the US military was advised of 2 of the breaches. The hackers were linked to the Chinese government.
Do your contracts with vendors require them to notify you if they are attacked or breached? The government now does. Wouldn’t that be a good control for you to have? Would you enforce it?
What about US attempts to spy on Chinese government activities? Is that different?