The recently exposed SolarWinds cybersecurity incident has highlighted something those of us in the information-security business have long worried about: that the supply chain is a black box most of us have very little visibility into. It is a vast and diverse aggregation of both physical and virtual components of almost impenetrable origin and complexity.
The opaque nature of this conglomeration of systems results in digital security vulnerabilities that very few organizations have even tried to fathom, yet unwittingly accept. That may be changing. Jennifer Bisceglie, CEO of the supply-chain resilience company Interos, spends a lot of time talking with government organizations about supply-chain issues. "Given the unprecedented wave of supply-chain shocks we witnessed in 2020 — the COVID-19 pandemic, the SolarWinds cyberattack and the impact of escalating trade wars with China — organizations are beginning to realize they need to devote more attention to supply-chain risk," she says.
Supply chains are the backbone of today's global economy, and any organization — public or private — that relies on one to accomplish its business goals is a player in supply-chain cybersecurity risk management. Cyber-enabled supply-chain attacks can now result in vastly disproportionate harm compared to the minimal resources required to execute an attack. The good news is that robust, ever-improving technology is available today to provide organizations with the tools to identify their extended supply chains and monitor their risk factors. But software is only one part of a strong risk-mitigation strategy.
People often think of the supply chain as the logistical framework for getting a physical product from point A to point B, including activities involved in the sourcing and conversion of products and the collaboration among suppliers, intermediaries and customers. But the exploding global digital transformation has altered supply-chain risks dramatically to include a mystifying accumulation of software code and application relationships that generate perplexing cybersecurity risk-management challenges.
Supply-chain cybersecurity is taking an increasingly prominent role in many organizations because divining the provenance of components and software, and the relationships between systems critical to government and business operations, is crucial to knowing how to protect those systems. "If an organization doesn't understand which third parties have access to its network and present the greatest risk to its data, its digital ecosystem becomes a ticking time bomb just waiting to be exploited," says Fred Kneip, CEO of the security software company CyberGRX. This is especially true for government organizations where citizen privacy is at risk and in those sectors of the economy — from energy to communications to water systems — that are designated as essential critical infrastructure.
Supply-chain cybersecurity risk management is focused on the threats to disrupt, degrade or destroy IT systems, software and network infrastructure. Cyber-related disruptions can impact all of the multi-tier organizational relationships in the supply chain. What happened to the Maersk shipping company is instructive. Maersk is responsible for 20 percent of the world's shipping capacity, and when it was infected with the NotPetya malware in 2017, its 800-ship fleet, which is supported by 80,000 employees in 574 offices across 130 countries, was — quite literally — dead in the water. That was bad news for Maersk of course, but even worse news for the millions of customers who depend on the company for fresh and frozen food products, raw materials for manufacturing and products destined for the retail market.
A 2017 Wired article highlighted several other examples of hackers exploiting the digital supply chain, including one case in which a fake version of an Apple developer tool popular with Chinese app-builders resulted in the (at the time) largest-ever outbreak of malware on Apple devices.
And in October 2018, Bloomberg Businessweek raised the specter of a long-feared hardware attack on the supply chain, reporting that spy chips that could be used to alter or steal data had been discovered on components supplied by a Chinese subcontractor to Supermicro, a major U.S. supplier of servers and motherboards.
While all of the companies involved disputed the Bloomberg report, the value of Supermicro's stock dropped by more than 40 percent. For the public sector, the risks are far greater, bringing the potential for disruptions to everything from public health and safety to essential infrastructure. So what can your government organization do to understand and mitigate supply-chain cybersecurity risks? Some essential steps:
• Map your supply chain and identify high-priority vendors most critical to your organization's ability to function.
• Identify sub-tier suppliers whose critical IT components or software are embedded in your systems.
• Create diversity in your supply chain so you don't have any single-point-of-failure vendors.
• Know, without a doubt, what information systems your vendors can access via your own networks.
• Establish baseline security controls to which you can hold all of your vendors accountable. To identify potential insider threats, make sure these security controls encompass their personnel employment practices.
• Ensure that your organization's security team is integrated into the procurement process, including vendor assessments and vendor management.
John McAfee, the founder of the security software company that bears his name, is known for making wild and outlandish statements. But he hit the nail on the head when he said that "any logical structure that humans can conceive will be susceptible to hacking, and the more complex the structure, the more certain that it can be hacked." Our global supply-chain infrastructure is perhaps one of the most complex digital organisms to ever evolve, and government organizations need to be proactively diligent in recognizing the cybersecurity risks it presents.
Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.