By Dr. Andrea Little Limbago, Interos VP of Research & Analysis
Over the course of this year, we have highlighted the ongoing geopolitical ‘techtonic’ shifts underway that are transforming globalization into competing technospheres of influence separated by authoritarian and democratic ideologies. Supply chains undergird these transformations, as democracies increasingly seek to create ‘trusted networks’ of supply chains. While this is a welcome change, reducing untrusted networks and technologies provides only a partial solution. Even if fully-trustworthy networks were possible, there must be equal consideration given to cyber risk monitoring to prevent and respond to intrusions into those existing trusted networks. Unfortunately, as the SolarWinds compromise demonstrates, the rise of supply chains attacks into trusted software requires equal attention as private and public sector organizations rethink cyber security resilience in the post-COVID era.
Cyber Risk Monitoring In An Era of Competing Techno-spheres
COVID-19 has accelerated the global bifurcation into competing techno-spheres. Digital dictators pursue a playbook for data theft, manipulation, surveillance, and censorship. From Cambodia’s aspirations to build its own Great Firewall to internet shutdowns during elections and civil unrest to Russia’s troll farms to the growing cyber threat stemming from smaller powers and non-state actors, China’s digital authoritarian model is gaining traction.
At the same time, a democratic counterweight is finally emerging, albeit in a nascent form. Focused on data privacy, protection, and a free, open, and secure internet, democracies are beginning to create data policies and to reimagine export control regimes. An emerging theme of digital democracies centers on trusted networks. From the UK’s proposal for a 5G democratic pact to the growing chorus of democracies banning Huawei and other Chinese-based companies to the emergence of the ‘Quad’ (i.e., Australia, Japan, India, and the U.S), these democracy-only efforts aim to deepen ties and security among like-minded partners.
Trusted supply chains are foundational to these democratic tech alliances. Given the rapid diffusion of digital authoritarianism, growing collaboration among democracies is long overdue, especially when it comes to technology standards, norms, and industrial policy. However, even with the future creation of trusted networks, supply chains will still require rigorous cyber risk monitoring. The SolarWinds breach reflects a much broader trend toward digital supply chain attacks (see Atlantic Council’s report), including how adversarial regimes leverage trusted software. SolarWinds is not the first, nor will it be the last, malicious backdoor installed via software updates of legitimate software. Just as democracies focus on building trusted networks, there must be equal attention to countering the full range of the digital authoritarian playbook, including legitimate software compromises across digital supply chains that demand cyber security resilience.
It Takes a Network
COVID-19 brought to bear the fragility of global physical supply chains; the expansive impact of the SolarWinds compromise unfortunately drives home the challenges and risks associated with interdependencies across digital supply chains. And just as corporations and organizations have introduced plans to build greater physical supply chain resilience – such as reshoring or onshoring – a similar reimagination is required moving forward for digital supply chain resilience. In fact, the distinction between digital and physical supply chains not only isn’t helpful, but it limits creatively addressing operational resilience.
Supply chains are complex socio-technical networks, but unfortunately old paradigms focused largely on the enterprise continue to prevail. A recent Gartner report noted the ongoing commitment to dominant risk paradigms, concluding that “Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks.”
With average global brands maintaining tens – if not hundreds – of thousands of corporate nodes in their supply chain network, and average enterprises relying upwards of one hundred cloud-based applications, it is extremely difficult to maintain visibility across such a diverse and complex network. Nevertheless, cyber risk monitoring across your entire socio-technical supply chain network is foundational to managing risk and responding to disruptions – regardless of whether they stem from climate change, a global pandemic, political instability, or a massive digital supply chain breach.
Gaining this visibility will require a combination of socio-technical solutions and is essential for both assessing risk as well as responding to compromises. From policies focused on incentivizing information sharing to the pursuit of collaboration among digital democracies, governance and cooperation are foundational to security and democracy in the digital era. At the same time, technical solutions similarly are foundational. Facilitated human-computer interaction to better explore dependencies and concentration risks within your supply chain, for instance, can help surface underlying vulnerabilities across your supply chain. Borrowing from the widespread insights gained from social network analysis, these same models reframe risk beyond the enterprise level and help organizations gain visibility of the extended supply chain network.
Cyber Security Resilience: In It to Win It, Together
If there is any silver lining to the SolarWinds compromise, it is the growing community support and collaborative research efforts that have proven invaluable during the incident response. Importantly, this includes less victim-blaming and a greater understanding that in a complex, socio-technical supply chain, supply chains remain the soft underbelly vulnerable to exploitation from which no one is immune— and for which cyber risk monitoring is necessary.
As we close out a tumultuous and challenging year, 2020 seems destined to be grouped among the likes of 1945 and 1989 as an inflection point in the global order. Economic nationalism, a Balkanized internet, great power tensions, and minor power territorial conflicts all reflect a technology and ideologically fractured world order. Despite these threats to globalization, global trade and interdependencies will continue, requiring imaginative and collaborative approaches to cyber securityoperational resilience across the entire supply chain network.
It likely will be quite some time before the full ramifications of the SolarWinds compromise are fully understood. But one thing is clear – these risks are shared and propagate across partner organizations and the entire socio-technical global supply chain. As digital authoritarianism continues to spread, no organization is an island. Defeating these threats requires a paradigm shift toward collective defenses and reimagining how digital democracies – including both the private and public sector – can together gain visibility and protect not only our most sensitive data and bottom lines, but our national and economic security as well.