Indicators of Supply Chain Risk in the Era of Coronavirus: Cyber

This is the second in a five-part series looking at global supply chain risk factors, COVID-19, and economic reopening.

There has been a steady increase in cyber attacks for decades, and a global pandemic seems only to amplify the risks and challenges posed by these disruptions that extend from the virtual into the physical world. In fact, the United Nations recently called for a ‘digital ceasefire’ during the pandemic following a string of attacks on the World Health Organization, hospitals, and other critical infrastructure around the world. As cyber attacks continue unabated, almost half of information security professionals have been removed from security-related work and the quick shift to remote work has significantly broadened the attack surface of corporate networks.

Over the last few years governments have begun implementing a range of data protection and breach notification measures. This dynamic threat and regulatory environment will continue impacting businesses across the globe, with the potential for supply chain disruptions. And these digital disruptions come at a significant cost to the global economy, with an estimated impact of more than $6 trillion globally in 2021 due to cyber incidents. From forcing small business closures to data loss to intellectual property theft, cyber risks permeate throughout all tiers of a supply chain and impact supply chain resiliency and continuity.

Cyber Incidents

As the saying goes, there are two types of companies: those that have been compromised, and those that don’t know that they have. These digital intrusions are so universal that few companies are immune from some sort of cyber incident. However, not all incidents are the same. Insider threats remain one of the top modes of data theft and compromise, while different external attack vectors enable data exfiltration and destruction. Wiper malware, such as Shamoon malware that has targeted the oil and gas industry, destroys data and workstations. In contrast, distributed denial of service (DDoS) attacks can force websites offline through an onslaught of traffic that it is unable to handle. These can be particularly disruptive for e-commerce and retail sites who rely on consistent website access for revenue streams.

As impactful as these attacks are, ransomware remains among the most disruptive and prolific attacks. Ransomware encrypts data, making it inaccessible unless a ransom (usually in BitCoin) is paid to the attacker. Even then, there is no guarantee that the data will be returned intact. Ransomware attacks have increased almost 150% during the pandemic, and have overtaken credit card theft as the leading source of cybercrime.

For companies that have built seemingly impenetrable digital defenses, their biggest vulnerability may be through partner organizations across their supply chain who may not have the resources or capability for similar digital security. Also referenced as ‘island hopping’, the financial, manufacturing, and retail industries are the most at risk of cyber compromises through supply chain exposure. These attacks are so common that both the United States and United Kingdom are among the many governments creating specific task forces and drafting multi-step recommendations for digital supply chain security.

Internet Connectivity

While cyber attacks are a leading cause of digital disruption, internet access – or the lack thereof – increasingly disrupts e-commerce and cross-border trade. For instance, as COVID-19 spread, Vietnam significantly slowed down internet traffic for seven weeks by taking servers offline to stifle the spread of anti-government responses to the pandemic. Internet slowdowns are a tactic of some governments as a form of censorship, while complete internet blackouts are a favorite approach for complete information control. There were 213 documented incidents of internet shutdowns across at least 33 countries in 2019. Government-led internet blackouts increased 6000% between 2011-2018, and cost the global economy $8 billion in 2019 alone. According to the Business Continuity Institute’s Supply Chain Resilience Report, these kinds of internet disruptions were the most top of mind disruption concern for almost two-thirds of survey respondents.

The Digital Regulatory Landscape

As if internet disruptions and cyber attacks were not enough, businesses must increasingly navigate a patchwork of national cybersecurity and data protection regulations. Those such as the European Union’s General Data Protection Regulation (GDPR) and Brazil’s upcoming General Data Protection Law (LGPD) offer citizens data protection, while violators may be fined up to 4% of global turnover for non-compliance. In many cases, these data protection laws reinforce security standards that should be foundational to supply chain digital security. However, there is also a growing trend toward data localization laws that require data storage within their sovereign borders. These laws are less worrisome in countries with strong rule of law that protects data, but become problematic in those countries with government-mandated access to data. This is a core area where geographic risk and cyber risk overlap: across the globe government regulations focus on government access to data and can pose intellectual property risks, as well compromises of personally identifiable information for espionage or to target insiders.

Outlook

Businesses and governments aren’t the only ones preparing for economic reopening; cyber attackers will continue to exploit whatever new vulnerability comes next. They have adapted as remote workers, new gaps in firewalls, and lax security standards offer new opportunities, and they will adapt again as the economy reopens. Businesses would benefit from similarly adjusting and reviewing the cyber security postures across their supply chains. Assessments done prior to the pandemic would be worth reviewing to evaluate the cyber risk across their supply chain.

Among the many provisions for supply chain assessments as part of the CARES Act, the Cybersecurity and Infrastructure Security Agency (CISA) will be conducting supply chain analysis. With this renewed focus on supply chains, businesses could look to existing frameworks for assessing cyber risk, such as the Cybersecurity Maturity Model Certification (CMMC), for integrating best practices and standard controls, and for assessing the degree to which partners are adhering to such standards.

The Interos platform monitors cyber risk to assess its impact on extended enterprise supply chains. We are committed to continuing to monitor COVID-19 -driven upheaval and providing insight for businesses searching for the path to economic recovery and adapting to the “new normal.” The next piece in this series will focus on the financial disruptions to supply chains, and how COVID-19 is impacting these risks.

To learn more about how to deal with the fallout of the coronavirus and how to prepare for economic reopening, read our whitepaper “The Road to Reopening”.

Dr. Andrea Little Limbago is a computational social scientist specializing in the intersection of technology, national security, and society. As the Vice President of Research and Analysis at Interos, Andrea leads the company’s research and analytic work regarding global supply chain risk with a focus on governance, cyber, economic, and geopolitical factors. She also oversees community engagement and research partnerships with universities and think tanks and is a frequent contributor to program committees and mentorship and career coaching programs. She has presented extensively at a range of academic, government, and industry conferences such as RSA, SOCOM’s Global Synch, BSidesLV, SXSW, and Enigma. Her writing has been featured in numerous outlets, including Politico, the Hill, Business Insider, War on the Rocks, and Forbes. Andrea is also a Senior Fellow and Program Director for the Cyber and Emerging Technologies Law and Policy Program at the National Security Institute at George Mason and a Fellow at the Atlantic Council’s GeoTech Center. She is an industry advisory board member for the data science program at George Washington University, and is a board member for the Washington, DC chapter of Women in Security and Privacy (WISP). She previously was the Chief Social Scientist at Virtru and Endgame. Prior to that, Andrea taught in academia and was a technical lead at the Joint Warfare Analysis Center, where she earned the Command’s top award for technical excellence. Andrea earned a PhD in Political Science from the University of Colorado at Boulder and a BA from Bowdoin College

The Role of Ethics Compliance in a Post-Crisis Landscape with Grace Michallet

 

Episode 4: Ethics and Compliance

“Big Data is thrown around so much with little appreciation of what it actually means.”

For compliance specialists who care about the quality of due diligence, clean data is a huge concern.

But do  all companies take it as seriously as they should?

In this episode Grace Michallet, a director of Corporate Ethics and Compliance for AECOM, explains the expanding role of ethics and compliance, highlighting the increased need for scrutiny in a time of global crisis, when the risk of corner-cutting is high.

 Grace also spoke with us about critical compliance considerations like:

  • Bribery and corruption
  • Third party risk
  • Due diligence
  • Clean data
  • The need for stronger regulations

 

 

Listen & Subscribe!

To learn more, check out the podcast on Stitcher, Apple Podcasts, Google Play, Spotify, or wherever you listen to podcasts. If you like what you hear, please rate and review the show, or share it with a friend! New episodes air every other Tuesday.

To learn more about Interos, visit Interos.ai.

Indicators of Supply Chain Risk in the Era of Coronavirus: Geography

COVID-19 is a watershed global health crisis that has sparked unprecedented international change. The global economy has effectively shut down to contain the spread of the virus.  Governments continue adapting policies and are taking distinct approaches as the pandemic evolves, while forward-leaning businesses are preparing for an economic reopening in a time of significant uncertainty and change.

It is unknown what the world order will look like, but it will introduce new challenges as organizations adjust to the ‘new normal.’ Borders have closed and there have been significant disruptions to labor, trade, and public health, not to mention profound supply chain interruptions. Despite new questions about the future of globalization, the world will remain interconnected; but the structure and flow of the connections are likely to change. Simply turning on the economy will not return it back to the same pre-COVID world.

To better understand and prepare for the imminent global changes, for the next five weeks we will explore the core “risk factors” that are integral to third-party supply chain risk management (TPRM): finance, operations, governance, geography, and cyber. We will examine each risk factor, focusing on disruption wrought by COVID-19, and highlight some upcoming trends that will influence each factor. Together, these pieces will detail how those core factors will shape ‘business as usual’ as the global economy reopens. The more organizations can prepare for the ‘new normal’ across their global supply chain, the more resilient they will be as the brave new world unfolds.

This Week’s Risk Factor: Geography

COVID-19 has reinforced just how impactful sovereign borders remain. From hospitals per capita to political violence to government debt, a range of factors shaped by sovereign borders define not only the government’s capacity to respond to COVID-19, but also the timeline and shape of economic reopening within those borders. Political, socio-economic, and infrastructure factors together shape a country’s capacity to contain COVID-19, with significant impact on multi-national businesses with supply chain dependencies within those borders. These indicators should be integrated into any operational and logistical reassessments to succeed in a post-COVID world.

Political Risks

In last week’s press conference, Joint Chiefs of Staff General Mark Milley noted, “There is stress as a result of this COVID-19 virus on the politics, the internal politics around the countries. There is an increased probability or risk of instability, significant instability in some countries.” Even prior to the pandemic, monumental political shifts were already underway, sparking new instability and exacerbating conditions in already vulnerable countries.

Democracy has been in decline for a decade, and a resurgence of authoritarian leadership has left many wondering whether democracy itself is dying. What does this have to do with supply chain risk? Strong democratic institutions tend to have impacting the business risk environment through greater transparency and formalized regulations. In contrast, high levels of corruption and the absence of the rule of law – often found in authoritarian regimes – can be destabilizing for organizations as graft, side-payments, and nebulous and personalized regulations significantly add to the cost of doing business. Each of these can destabilize organizations based there, which become susceptible to the whims of governments that may renege on promises or undermine foreign companies in favor of domestic champions.

Political violence and instability are also more likely in hybrid and authoritarian governments, often as a response to the corruption, lack of rule of law, and the inequalities they create. The growing risk, or presence, of violence clearly alters government decision making, while increasing the risk of supply chain disruptions, mismanagement, quality, and even shifting relationships and alliances as instability increases. The rise of authoritarian nationalism will likely continue to disrupt global trade as protectionism continues to rise and as this approach is adapted by some democracies as well. There are concerns that COVID-19 may reverse of globalization as a means for governments to attain autarkic political, social, and economic control.

Socio-economic

There are numerous socio-economic factors that provide further insight into risk within a country’s borders. For example, the observance of property rights depends on adherence to the rule of law, and bribery is tightly connected to corruption, both of which significantly impact the economic well-being of a country. Conversely, the absence of property rights and high levels of bribery undermine a multi-national organizations ability to conduct business, as new overhead, corrupt processes, and limited transparency muddy the business environment.

There are additional socio-economic considerations that impact supply chain risk, such as the ease of doing business, inflation rates, and government debt. These kinds of economic factors provide insight into regulatory efficiency and market resilience and are extremely important in assessing a country’s market risk to major shocks. Emerging markets, for instance, are likely to face increasing strain due to COVID-19, which has already hammered their currency markets.

Social factors such as net migration and other demographic features similarly inform geographic risk to supply chain disruption. COVID-19 is accentuating these societal disparities, as it increasingly appears to disproportionality affect certain demographic groups and labor markets differently. Public health conditions are also increasingly relevant to assessing supply chain risk and can significantly impact current and future labor disruptions and overall societal resiliency to the pandemic.

Infrastructure

Finally, a country’s infrastructure is essential to the supply chain, as power outages, internet penetration, port infrastructure, and other trade and transport-related infrastructure are vital for uninterrupted international trade. Inadequate infrastructure has a large economic impact on supply chain integration. While many of these factors do not change significantly over time, events that instigate societal shocks can quickly debilitate a weak infrastructure and stress even the strongest infrastructures. Some areas of infrastructure, however, fluctuate more than others. The quality of internet connections, for instance, is being stressed due to COVID-19 and may increasingly cause disruptions. Servers and computers have also been shut down in areas with COVID-19 outbreaks. In a digitized economy, any significant degradation of internet quality can disrupt any aspect of business reliant on an internet connection – from delivery to production to communication.

Outlook

Geographically contained factors remain critical determinants of capacity and supply chain resilience as the world grapples with the public health repercussions of COVID-19, and the various second and third-order effects stemming from the pandemic. The political, socio-economic, and infrastructure conditions in a specific country will be stressed under the weight of managing the public health crises as well as the economic fallout of a closed off global economy. As the economy slowly begins to reopen, the reopening will not be uniform globally, but will significantly depend on the political, socio-economic, and infrastructure institutions in place within each country.

The Interos platform monitors these elements and others to assess geographic risk and its impact on extended enterprise supply chains. We are committed to continuing to monitor COVID-19 -driven upheaval and providing insight for businesses searching for the path to economic recovery and adapting to the “new normal.” The next piece in this series will focus on the cyber disruptions to supply chains, and how COVID-19 is impacting these risks.

 

To learn more about how we capture geographic risks to your supply chain, visit interosai.kinsta.cloud.

Dr. Andrea Little Limbago is a computational social scientist specializing in the intersection of technology, national security, and society. As the Vice President of Research and Analysis at Interos, Andrea leads the company’s research and analytic work regarding global supply chain risk with a focus on governance, cyber, economic, and geopolitical factors. She also oversees community engagement and research partnerships with universities and think tanks and is a frequent contributor to program committees and mentorship and career coaching programs. She has presented extensively at a range of academic, government, and industry conferences such as RSA, SOCOM’s Global Synch, BSidesLV, SXSW, and Enigma. Her writing has been featured in numerous outlets, including Politico, the Hill, Business Insider, War on the Rocks, and Forbes. Andrea is also a Senior Fellow and Program Director for the Cyber and Emerging Technologies Law and Policy Program at the National Security Institute at George Mason and a Fellow at the Atlantic Council’s GeoTech Center. She is an industry advisory board member for the data science program at George Washington University, and is a board member for the Washington, DC chapter of Women in Security and Privacy (WISP). She previously was the Chief Social Scientist at Virtru and Endgame. Prior to that, Andrea taught in academia and was a technical lead at the Joint Warfare Analysis Center, where she earned the Command’s top award for technical excellence. Andrea earned a PhD in Political Science from the University of Colorado at Boulder and a BA from Bowdoin College

COVID-19 Destabilizes Oil Markets, Sows Geopolitical Instability and Slows Economic Recovery

The COVID-19 pandemic continues to exact an enormous cost to human life, with lasting effects extending across our economic, political, and social systems. These effects extend into global supply chains, manifesting as both ongoing interruptions and a growing risk of future disruption. Few industries have felt this volatility more keenly than the global oil market. Recent weeks have seen a historic collapse in oil prices, with producers racing to cut a deal this week to slash production to bolster prices. This dramatic fluctuation not only impacts U.S. shale oil producers and their stakeholders, but is already forcing petro-states to cut government spending just as the pandemic spreads to those regions. If history is any example, these government cuts have the potential to spark social and political unrest that further risks interrupting businesses and supply chains.

Petro-States and Government Cuts

Crude oil and refined petroleum remain the global economy’s most-traded commodity. International responses to contain COVID-19 have significantly reduced economic activity and collapsed global demand for crude oil and petroleum by as much as 30%, dealing a significant blow to petro-states as they attempt to contain the virus.  In March, Saudi Arabia initiated an oil price war attempting to offset the slumping prices. This instead caused them to crater to under $20 per barrel from $61 per barrel at the beginning of 2020. This week’s agreement to reduce production may offer some reprieve, but cannot offset the combination of a slumping oil market amid a pandemic for petro-states.

For these states, falling oil prices present an immediate fiscal crunch that may exacerbate the economic pain already triggered by the pandemic. For instance, the Middle East’s largest economy, Saudi Arabia, has already ordered substantial cuts in government spending to offset the growing budget deficit. As context, for the Saudi Arabian Ministry of Finance’s initial 2020 budget to be balanced, oil prices would need to surge to around $84 per barrel. As oil-producing countries face dwindling revenues, the new COVID-19-induced fiscal reality will compel governments to shore up public finances. These spending cuts call into question the feasibility of the Saudi national economic transformation plan, Vision 2030, which the government developed to stave-off declining household income, employment rates, and public-sector finances.

Saudi Arabia is not the only oil-rich country jolted by both Covid-19 and the subsequent drop in oil. Nigeria, the largest economy in Africa and the continent’s largest oil producer, is preparing to revise its near-term budgets downward and reduce spending as oil falls far below the government’s prior budget assumptions of $57 per barrel. The financial risk extends beyond major oil producers as smaller exporters such as Ecuador witness surging bond yields as public-sector finances buckle under low oil prices. As oil-producing countries adjust to the new fiscal reality prompted by the pandemic, decreasing government spending on infrastructure and public services may drastically undermine political, social, and supply chain stability.

Government Cuts and Instability

Whether Petro-states respond to fiscal crisis with austerity or rising debt levels, a wave of mass protests that emerged in 2019 may foreshadow another lasting impact of Covid-19. As governments face financial constraints and pressure to raise taxes and curtail spending, the probability of financial risk morphing into near-term political risk rises. In 2019, waves of intense and violent protests spread across both durable and politically unstable countries alike. In Chile, efforts to raise transit fares incited protests that drew millions of aggrieved citizens and resulted in an economic downgrade. In France, the so-called Yellow Vests brought much of the world’s seventh-largest economy to a halt due to a proposed fuel tax hike. In Ecuador, mass protestors nearly caused the collapse of the ruling government in response to an austerity program. Further mass movements emerged at least in part as a result of economic issues and tax hikes in Lebanon, Iraq, and Iran.

These protests caused significant disruption for businesses and organizations. With many of the protests based on anti-globalization and anti-corruption complaints, investors and financial markets began paying attention to the broader ramifications. Similarly, businesses today must consider the broader risk factors that may emerge as COVID-19 continues to wreak havoc across the globe. Whether in the form of strained public health systems, oil market volatility, protests, or even cyberattacks, there is likely to continue to be significant supply chain disruption and greater risk exposure across a multitude of risk factors. The supply chain disruption already well underway is likely to extend to other regions as the second and third-order effects of the pandemic become more apparent.

 A Comprehensive View toward Supply Chain Risk

The breadth of COVID-19’s impact will extend far beyond the ongoing financial and public health crisis. The ongoing impact of the pandemic will continue to diffuse across economic, political, and social spheres. Some of these consequences, particularly those that pertain directly to public health, are already apparent. However, businesses also need to consider and account for other complex knock-on effects to maintain continuity and stability.

Too often risk is viewed solely through a single lens. The pandemic continues to highlight the far-reaching connectivity of our economic and political systems, as well as the supply chains that run through them. The businesses that heed these lessons and develop a holistic, multi-factor awareness of global supply chains risk will emerge from this crisis the strongest, and be better-prepared for future global crises and disruptions.

What Lies Beneath – Episode 3: Agile or Fragile with JC Dodson

 

Episode 3: Agile or Fragile – Building Resilience in a Post-Virus World

As the coronavirus continues to threaten lives and livelihoods, large organizations are still searching for ways to maintain continuity and support the economy. This week Jennifer sits down with BAE’s Global Chief Information Security Officer, JC Dodson to talk about how to build resiliency and handle the unexpected ripple effects of COVID-19. Together they tackle difficult questions including: 

How has coronavirus changes executive visibilty into risk and supply chain management?

Jennifer and JC give an overview of executive involvement and interest in supply chain risk pre and post-Covid-19. Risk managers may never have a stronger case for beefing up their programs and increasing board engagement. Learn how to leverage that increased engagement into actionable steps that drive resilience and shepherd your organization through this unprecedented crisis. 

When is globalization not a benefit?

It’s difficult to argue that globalization hasn’t benefited large enterprises, but COVID-19 has drawn its potential negative consequences into sharp relief. Jennfier and JC review the potential pitfalls of globalization and discuss how businesses can start realigning their supply chains to mitigate the possible damage. 

How many tiers of our supply chain do you need to understand?

As businesses continue to reel from the aftershocks of sub-tier supplier disruption, many organizations are rexamining their visibility into their sub-tier suppliers, the entities beyond the third party. Jennifer and JC discuss how far down you need to go to truly understand your risk exposure.

Listen & Subscribe!

To learn more, check out the podcast on Stitcher, Apple Podcasts, Google Play, Spotify, or wherever you listen to podcasts. If you like what you hear, please rate and review the show, or share it with a friend! New episodes air every other Tuesday.

To learn more about Interos, visit Interos.ai.