This is the second in a five-part series looking at global supply chain risk factors, COVID-19, and economic reopening.
There has been a steady increase in cyber attacks for decades, and a global pandemic seems only to amplify the risks and challenges posed by these disruptions that extend from the virtual into the physical world. In fact, the United Nations recently called for a “digital ceasefire” during the pandemic following a string of attacks on the World Health Organization, hospitals, and other critical infrastructure around the world. As cyber attacks continue unabated, almost half of information security professionals have been removed from security-related work and the quick shift to remote work has significantly broadened the attack surface of corporate networks.
Over the last few years governments have begun implementing a range of data protection and breach notification measures. This dynamic threat and regulatory environment will continue impacting businesses across the globe, with the potential for supply chain disruptions. And these digital disruptions come at a significant cost to the global economy, with an estimated impact of more than $6 trillion globally in 2021 due to cyber incidents. From forcing small business closures to data loss to intellectual property theft, cyber risks permeate throughout all tiers of a supply chain and impact supply chain resiliency and continuity.
Cyber Incidents in the Era of COVID-19
As the saying goes, there are two types of companies: those that have been compromised, and those that don’t know that they have. These digital intrusions are so universal that few companies are immune from some sort of cyber incident. However, not all incidents are the same. Insider threats remain one of the top modes of data theft and compromise, while different external attack vectors enable data exfiltration and destruction. Wiper malware, such as Shamoon malware that has targeted the oil and gas industry, destroys data and workstations. In contrast, distributed denial of service (DDoS) attacks can force websites offline through an onslaught of traffic that they are unable to handle. These can be particularly disruptive for e-commerce and retail sites that rely on consistent website access for revenue streams.
As impactful as these attacks are, ransomware remains among the most disruptive and prolific attacks. Ransomware encrypts data, making it inaccessible unless a ransom (usually in Bitcoin) is paid to the attacker. Even then, there is no guarantee that the data will be returned intact. Ransomware attacks have increased almost 150% during the pandemic, and have overtaken credit card theft as the leading source of cybercrime.
For companies that have built seemingly impenetrable digital defenses, their biggest vulnerability may be through partner organizations across their supply chain who may not have the resources or capability for similar digital security. Also referenced as “island hopping,” the financial, manufacturing, and retail industries are the most at risk of cyber compromises through supply chain exposure. These attacks are so common that both the United States and United Kingdom are among the many governments creating specific task forces and drafting multi-step recommendations for digital supply chain security.
While cyber attacks are a leading cause of digital disruption, internet access – or the lack thereof – increasingly disrupts e-commerce and cross-border trade. For instance, as COVID-19 spread, Vietnam significantly slowed down internet traffic for seven weeks by taking servers offline to stifle the spread of anti-government responses to the pandemic. Internet slowdowns are a tactic of some governments as a form of censorship, while complete internet blackouts are a favorite approach for complete information control. There were 213 documented incidents of internet shutdowns across at least 33 countries in 2019. Government-led internet blackouts increased 6,000% between 2011-2018, and cost the global economy $8 billion in 2019 alone. According to the Business Continuity Institute’s Supply Chain Resilience Report, these kinds of internet disruptions were the most top of mind disruption concern for almost two-thirds of survey respondents.
The Digital Regulatory Landscape
As if internet disruptions and cyber attacks were not enough, businesses must increasingly navigate a patchwork of national cybersecurity and data protection regulations. Those such as the European Union’s General Data Protection Regulation (GDPR) and Brazil’s upcoming General Data Protection Law (LGPD) offer citizens data protection, while violators may be fined up to 4% of global turnover for non-compliance. In many cases, these data protection laws reinforce security standards that should be foundational to supply chain digital security. However, there is also a growing trend toward data localization laws that require data storage within their sovereign borders. These laws are less worrisome in countries with strong rule of law that protects data, but become problematic in those countries with government-mandated access to data. This is a core area where geographic risk and cyber risk overlap: across the globe government regulations focus on government access to data and can pose intellectual property risks, as well as compromises of personally identifiable information for espionage or to target insiders.
Businesses and governments aren’t the only ones preparing for economic reopening; cyber attackers will continue to exploit whatever new vulnerability comes next. They have adapted as remote workers, new gaps in firewalls, and lax security standards offer new opportunities, and they will adapt again as the economy reopens. Businesses would benefit from similarly adjusting and reviewing the cyber security postures across their supply chains. Assessments done prior to the pandemic would be worth reviewing to evaluate the cyber risk across their supply chain.
Among the many provisions for supply chain assessments as part of the CARES Act, the Cybersecurity and Infrastructure Security Agency (CISA) will be conducting supply chain analysis. With this renewed focus on supply chains, businesses could look to existing frameworks for assessing cyber risk, such as the Cybersecurity Maturity Model Certification (CMMC), for integrating best practices and standard controls, and for assessing the degree to which partners are adhering to such standards.
The Interos platform monitors cyber risk to assess its impact on extended enterprise supply chains. We are committed to continuing to monitor COVID-19-driven upheaval and providing insight for businesses searching for the path to economic recovery and adapting to the “new normal.” The next piece in this series will focus on the financial disruptions to supply chains, and how COVID-19 is impacting these risks.
To learn more about how to deal with the fallout of the coronavirus and how to prepare for economic reopening, read our white paper “The Road to Reopening.”
Dr. Andrea Little Limbago is a computational social scientist specializing in the intersection of technology, national security, and society. As the Vice President of Research and Analysis at Interos, Andrea leads the company’s research and analytic work regarding global supply chain risk with a focus on governance, cyber, economic, and geopolitical factors. She also oversees community engagement and research partnerships with universities and think tanks and is a frequent contributor to program committees and mentorship and career coaching programs. She has presented extensively at a range of academic, government, and industry conferences such as RSA, SOCOM’s Global Synch, BSidesLV, SXSW, and Enigma. Her writing has been featured in numerous outlets, including Politico, the Hill, Business Insider, War on the Rocks, and Forbes. Andrea is also a Senior Fellow and Program Director for the Cyber and Emerging Technologies Law and Policy Program at the National Security Institute at George Mason and a Fellow at the Atlantic Council’s GeoTech Center. She is an industry advisory board member for the data science program at George Washington University, and is a board member for the Washington, DC chapter of Women in Security and Privacy (WISP). She previously was the Chief Social Scientist at Virtru and Endgame. Prior to that, Andrea taught in academia and was a technical lead at the Joint Warfare Analysis Center, where she earned the Command’s top award for technical excellence. Andrea earned a PhD in Political Science from the University of Colorado at Boulder and a BA from Bowdoin College