SolarWinds Attack Highlights Need for Supply Chain Paradigm Shift

By Dr. Andrea Little Limbago, Interos VP of Research & Analysis

Over the course of this year, we have highlighted the ongoing geopolitical “techtonic” shifts underway that are transforming globalization into competing technospheres of influence separated by authoritarian and democratic ideologies. Supply chains undergird these transformations, as democracies increasingly seek to create “trusted networks” of supply chains. While this is a welcome change, reducing untrusted networks and technologies provides only a partial solution. Even if fully-trustworthy networks were possible, there must be equal consideration given to cyber risk monitoring to prevent and respond to intrusions into those existing trusted networks. Unfortunately, as the SolarWinds compromise demonstrates, the rise of supply chain attacks into trusted software requires equal attention as private and public sector organizations rethink cyber security resilience in the post-COVID era.

Cyber Risk Monitoring In An Era of Competing Techno-spheres

COVID-19 has accelerated the global bifurcation into competing techno-spheres. Digital dictators pursue a playbook for data theft, manipulation, surveillance, and censorship. From Cambodia’s aspirations to build its own Great Firewall to internet shutdowns during elections and civil unrest to Russia’s troll farms to the growing cyber threat stemming from smaller powers and non-state actors, China’s digital authoritarian model is gaining traction.

At the same time, a democratic counterweight is finally emerging, albeit in a nascent form. Focused on data privacy, protection, and a free, open, and secure internet, democracies are beginning to create data policies and to reimagine export control regimes. An emerging theme of digital democracies centers on trusted networks. From the UK’s proposal for a 5G democratic pact to the growing chorus of democracies banning Huawei and other Chinese-based companies to the emergence of the “Quad” (i.e., Australia, Japan, India, and the U.S), these democracy-only efforts aim to deepen ties and security among like-minded partners.

Trusted supply chains are foundational to these democratic tech alliances. Given the rapid diffusion of digital authoritarianism, growing collaboration among democracies is long overdue, especially when it comes to technology standards, norms, and industrial policy. However, even with the future creation of trusted networks, supply chains will still require rigorous cyber risk monitoring. The SolarWinds breach reflects a much broader trend toward digital supply chain attacks (see Atlantic Council’s report), including how adversarial regimes leverage trusted software. SolarWinds is not the first, nor will it be the last, malicious backdoor installed via software updates of legitimate software. Just as democracies focus on building trusted networks, there must be equal attention to countering the full range of the digital authoritarian playbook, including legitimate software compromises across digital supply chains that demand cyber security resilience. China at night from above, showing the subject of much cyber risk monitoring.

Digital Supply Chain Security: It Takes a Network

COVID-19 brought to bear the fragility of global physical supply chains; the expansive impact of the SolarWinds compromise unfortunately drives home the challenges and risks associated with interdependencies across digital supply chains. And just as corporations and organizations have introduced plans to build greater physical supply chain resilience – such as reshoring or onshoring – a similar reimagination is required moving forward for digital supply chain resilience. In fact, the distinction between digital and physical supply chains not only isn’t helpful, but it limits creatively addressing operational resilience.

Supply chains are complex socio-technical networks, but unfortunately old paradigms focused largely on the enterprise continue to prevail. A recent Gartner report noted the ongoing commitment to dominant risk paradigms, concluding that “Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks.”

With average global brands maintaining tens – if not hundreds – of thousands of corporate nodes in their supply chain network, and average enterprises relying on upwards of one hundred cloud-based applications, it is extremely difficult to maintain visibility across such a diverse and complex network. Nevertheless, cyber risk monitoring across your entire socio-technical supply chain network is foundational to managing risk and responding to disruptions – regardless of whether they stem from climate change, a global pandemic, political instability, or a massive digital supply chain breach.

Gaining this visibility will require a combination of socio-technical solutions and is essential for both assessing risk and responding to compromises. From policies focused on incentivizing information sharing to the pursuit of collaboration among digital democracies, governance and cooperation are foundational to security and democracy in the digital era. At the same time, technical solutions similarly are foundational. Facilitated human-computer interaction to better explore dependencies and concentration risks within your supply chain, for instance, can help surface underlying vulnerabilities across your supply chain. Borrowing from the widespread insights gained from social network analysis, these same models reframe risk beyond the enterprise level and help organizations gain visibility into the extended supply chain network.

Cyber Security Resilience: In It to Win It, Together

If there is any silver lining to the SolarWinds compromise, it is the growing community support and collaborative research efforts that have proven invaluable during the incident response. Importantly, this includes less victim-blaming and a greater understanding that in a complex, socio-technical supply chain, supply chains remain the soft underbelly vulnerable to exploitation from which no one is immune— and for which cyber risk monitoring is necessary.

As we close out a tumultuous and challenging year, 2020 seems destined to be grouped among the likes of 1945 and 1989 as an inflection point in the global order. Economic nationalism, a Balkanized internet, great power tensions, and minor power territorial conflicts all reflect a technologically and ideologically fractured world order. Despite these threats to globalization, global trade and interdependencies will continue, requiring imaginative and collaborative approaches to operational resilience across the entire supply chain network.

It likely will be quite some time before the full ramifications of the SolarWinds compromise are fully understood. But one thing is clear – these risks are shared and propagate across partner organizations and the entire socio-technical global supply chain. As digital authoritarianism continues to spread, no organization is an island. Defeating these threats requires a paradigm shift toward collective defenses and reimagining how digital democracies – including both the private and public sector – can together gain visibility and protect not only our most sensitive data and bottom lines, but our national and economic security as well.

To learn more about how you can better secure your supply chain, visit Interos.ai.

Insights From Cybersecurity Experts Series: Protecting Enterprise Operations

On this episode of What Lies Beneath, we’re featuring a conversation from Interos’ 2020 summit for the Financial Services Industry (FSI) featuring Meg Anderson from Principal Financial Group, Jim Routh from MassMutual, and Phil Venables from Goldman Sachs, in conversation with Kevin Mandia, CEO of FireEye. With decades of experience in digital risk, they provide lessons learned on how to integrate into C-suite and Board conversations and priorities to help improve enterprise resilience against epic business disruptions. 

As part of the summit, the panel discussed: 

  • The biggest supply chain risks facing companies as a result of the COVID pandemic
  • What we worry about in the supply chain, and how to address those supply chain risks
  • The new normal that we’re all facing as we navigate through a global pandemic
  • Some of the challenges facing those in the cybersecurity industry are facing at this point, and how they’re protecting enterprise operations in the midst of it all. 

All guests’ participation in our summit was purely as a public service and is in no way an endorsement of Interos. 

Supply Chain Attacks Reaffirm Need for Better Monitoring

By Jennifer Bisceglie, Founder & CEO, Interos

This past weekend, hackers reportedly breached the U.S. Treasury and Commerce departments, as well as several other U.S. agencies and numerous companies. The attack was perpetrated through the software supply chain, with hackers hijacking an update server belonging to SolarWinds. SolarWinds products are estimated to be used by some 300,000 organizations around the world, including all the branches of “the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world’s top electronic spy agency” per the Washington Post.

This is the latest in a long succession of increasingly ambitious (and dangerous) supply chain-based cyberattacks. According to Symantec, supply chain attacks increased by over 78% in 2019, and that number is only expected to rise. This most-recent attack, though alarming, is certainly not unprecedented. In 2017, hackers executed a similar supply chain attack using CCleaner to breach an estimated 2.27 million enterprise users.  In the same year a group known as DragonFly was revealed to have gained access to some 20+ power and utility companies through a similar method.

This most recent attack is just another example in our hyperconnected world where the supply chain is being used as a point of attack. These attacks have made it clear that malicious actors intend to leverage that hyperconnectivity to its fullest potential by focusing their efforts on “gatekeepers,” the organizations that have been historically trusted to act as overseers of digital supply chain integrity for the millions of entities that make up the supply chain. By directly attacking these trusted authorities, hackers are able to quickly expand their control to thousands of the world’s largest, and most essential, companies and government organizations.

The supply chain is the soft underbelly of almost every organization on the planet and this evolving threat has crystallized the need for supply chain continuous monitoring. Organizations, now more than ever, need to know who they are connected to and how. When a breach of a trusted authority occurs, they need to be able to understand, in an instant, if they or any of their supply chain partners are exposed to the breached entities technology.

The first breach connected with this recent string of attacks is estimated to have occurred in March. With greater, continuous visibility of supply chain and stronger information sharing practices across industry, we will be in a much stronger position to cut the next attack off before it spreads. If we predominantly rely on legacy approaches (annual surveys that predominantly depend on self-attestation) our chances are much dimmer.

As we work to recover from this security setback, decision makers must look beyond their own organizational cybersecurity posture, to the extended supply chain networks that connect them with other businesses and adopt a forward-looking approach to supply chain resilience that protects and mitigates in advance of the next attack, and not simply in response to the last one.

The Interos platform ensures operational resilience by highlighting extended supply chain relationships with the involved vulnerabilities before they impact our customers and enable alternative sourcing, empowering customers to rapidly pivot to new, better-secured sources of supply in the event of a cyberattack.

Assessing Cyber Resilience in a Post-COVID World – Manuel Rios & Pete Kobs

On this episode of What Lies Beneath, we’re featuring a conversation from Interos’ 2020 summit for the Financial Services Industry (FSI) featuring Manuel Rios from Fidelity in conversation with EVP of Risk Recon, Pete Kobs. Cyber risk in digital supply chains is widely acknowledged as a major source of disruption to enterprise resilience yet much of it remains hidden deep in enterprise digital supply chains. Pete Kobs and Manny Rios discuss their experience working with assessment and operations managers in enterprises and their suppliers to mitigate those risks.

As part of the summit, Mr Kobs and Mr. Rios discussed: 

  • The number one requirement to having a robust readiness plan
  • The role of supply chain risk management moving forward, and and the best practices in that space
  • What challenges people across the cybersecurity industry are dealing with in the wake of the COVID crisis
  • How to work with a physical security vendor that you can’t physically interact with. 

Both guests’ participation in our summit was purely as a public service and is in no way an endorsement of Interos.