Spyware and Sanctions Create Emerging Supply Chain Risks

On the surface, the recent spyware campaign by the Vietnamese government against U.S. politicians may not seem relevant to supply chain risk. That would be a faulty assumption. More than 70 governments have deployed spyware over the last decade. While government officials and journalists are often the targets, the private sector is not immune. Businesses located in countries with governments deploying spyware and pursuing digital authoritarianism – widespread data and internet control – face a heightened risk of data exfiltration.

But spyware doesn’t just create cybersecurity risks, it also creates regulatory risk. Earlier this year, the Biden Administration introduced new restrictions on spyware companies due to the security risks they pose. Along with the UFLPA, these additions reflect a growing focus on human rights violators. These changes acknowledge “the increasingly key role that surveillance technology plays in enabling campaigns of repression and other human rights violations.”

In the new normal defined by geopolitical fault lines and a splintering of cyber norms, both the deployment and production of spyware should be a growing consideration for supplier due diligence and risk assessments.

The Proliferation of Spyware

Spyware is a form of malicious software installed on devices to collect information without the owner’s consent. Previously, governments had a near monopoly on these capabilities. However, thanks to the privatization of spyware, offensive cyber capabilities continue to proliferate among state and non-state actors. NSO Group, Cellebrite, and Candiru are just a few of the companies selling spyware. A recent Interos analysis assessed the number of spyware companies linked to national governments. The number reached into the double digits in some cases.

Global map showing how many spyware companies have been linked to a national government, by region. Hot spots include Mexico, Columbia, Morocco, Nigeria, Saudi Arabia, and Thailand.

These numbers only reflect the open source disclosure of spyware. In reality dozens of governments now possess some level of offensive cyber capabilities, the majority of which remain classified. China leverages spyware for widespread espionage campaigns, while reporting has linked numerous governments to Pegasus spyware. This year’s ODNI (Office of the Director of National Intelligence) Annual Threat Assessment notes “commercial spyware and surveillance technology, probably will continue to threaten U.S. interests.” ODNI estimates the commercial spyware industry to be worth $12 billion. Vietnam’s targeted deployment of spyware reflects this growing risk.

Spyware and Restrictions

The proliferation of commercial spyware and surveillance technologies is not only a security risk. It is also reshaping the regulatory environment. Section 889 of the 2019 NDAA was among the most expansive prohibitions against the use of surveillance technologies by federal agencies and their partners. Focused on Huawei, Dahua, ZTE, Hytera, and Hikvision, and their subsidiaries, Section 889 reflects the growing risks of surveillance technologies due to both data exfiltration risks as well as regulatory risks.

While Section 889 focuses on dual use surveillance technologies, this year’s Executive Order explicitly addresses commercial spyware focused on surveillance and data exfiltration. It has already resulted in several more companies being flagged as surveillance risks. This includes the addition of Intellexa and Cytrox to the Entity List. Initially, restrictions such as Section 889 largely focused on companies partnering with the United States governments. However this has been extended to a broader commercial restriction following the inclusion on the Entity list. This is not only a U.S. concern; the E.U. has called for a ‘de facto’ moratorium on spyware in May, while Australia has similarly debated controls on commercial spyware.

Looking Ahead: The Splinternet & Supply Chain Risks

Just as globalization and supply chains continue to be upended along geopolitical fault lines, so too does the internet. Reflecting opposing norms toward digital government intervention and data privacy, today’s siloed and fractured “Splinternet” introduces new digital risks across a company’s supply chain. Digital authoritarianism, wherein governments seek digital sovereignty and control over the Internet and the data passing through it, is on the rise and is powering the proliferation of spyware. While democracies are not immune from the use of spyware for national security, authoritarians are much less constrained on their use of offensive cyber capabilities across a growing population of targets.

The ODNI Annual Threat Assessment summarizes the national and commercial risks posed by digital authoritarianism and offensive cyber capabilities. Revelations of Vietnam’s use of spyware is not surprising to those following the expansion of digital authoritarianism. Over the last few years, Vietnam has adopted increasingly stringent data restrictions, including mandating local data storage and government control over data. These laws have prompted comparisons to Chinese digital authoritarianism and the data trap which eliminates corporations control over their own data.

Vietnam also is a top contender for companies seeking to diversify supply chains away from China. While it may provide favorable labor and economic environments, Vietnam’s cyber risks are often overlooked. While governments are more-frequently targeted than corporations by spyware, history has proven that it’s only a matter of time before business are equally under fire by adversaries with espionage or profit motivations.

Diversification with Cybersecurity and Regulatory Risk in Mind

As companies explore reshoring and supply chain diversification, the cybersecurity risk environment must be part of the calculation. A growing component of this analysis is the offensive deployment of spyware for data exfiltration. Similarly, surveillance technologies within a supply chain are also at heightened risk of regulatory fines and penalties. These heightened risks reflect ongoing geopolitical and technological transformations and introduce a range of opportunities and risks.

Those who prioritize and design operational resilience in sync with these transformations will gain a competitive advantage and be better prepared for the new normal compared to those who remain focused on the risks of yesteryear.

To learn more about how to identify and combat risks related to spyware in your supply chain, contact Interos. 

Navigating MOVEit: Six Lessons in Resilience for the Next Mass Supply Chain Attack  

The MOVEit computer virus recently surged back into the headlines with IBM and the Colorado Department of Health Care Policy & Financing confirming cyber-attacks that exposed the private health care data of millions of customers. The ensuing supply chain attacks have caused chaos for a growing number of victims spanning banks, hotels, energy giants and others. It’s no coincidence the events also saw the filing of five separate class-action lawsuits against Progress Software, the publisher behind the MOVEit file transfer application.

The breach, and the widening scope of damage, highlights the hidden risks posed by digital concentration risk – defined as high levels of dependence on massive, globally interconnected systems. In highly concentrated systems, a single vulnerability has the capacity to affect millions of entities. Various reports show at least 620 businesses and more than 40 million individuals have been impacted – over one-third via third party connections.

The incident underscores the constant battle to protect data and highlights the urgent need for a proactive approach to supply chain cybersecurity.

A Closer Look at the Attacks

Originating at IBM, the MOVEit attacks have affected hundreds of organizations, including the BBC, British Airways, Johns Hopkin’s University, multiple U.S.-based financial services firms, and even U.S. government agencies.

The breaches were carried out by exploiting SQL injection vulnerabilities, enabling hackers to access the server database. The CL0P ransomware gang was credited with the attack and has gone on a ransomware spree, contacting dozens of companies and demanding payments to prevent stolen information from being published online.

Six Steps to Respond Proactively

Though the situation is still unfolding, six key lessons have already emerged:

  1. Collaborate with Cybersecurity Teams & Identify Affected Third Parties: Engage procurement and cybersecurity teams to collaborate on guidance and developing vendor communications to determine which vendors use MOVEit. Unlike calls or surveys, automated platforms could identify likely affected vendors immediately and across sub-tier/extended supplier networks. Contact these critical vendors immediately and agree on mitigation strategies. If the enterprise maintains a legacy or manual systems, the only option may be issuing a manual questionnaire to vendors – which may take weeks to gather and analyze for vulnerability mitigation. If customer data has been exposed, take steps to notify them and review your vendor contracts for data breach notification requirements.
  2. Segment Critical Third Parties: Identify and group third parties and supply chain partners based on their criticality to continued operations – and their level of instability.
  3. Drill Deeper: Once critical third parties & supply chain partners have been identified, organizations need to drill deeper into risk sub-factors to understand their true vulnerability posture. When assessing vendors, it’s essential to consider everything from liquidity to cybersecurity breach history. Undertake exercises like threat modelling to further understand which vulnerabilities may pose the most risk to operations.
  4. Take Action: Develop an action plan to address findings. Long-term and short-term risks may require different remediation measures, such as focusing InfoSec teams on addressing specific CVEs.
  5. Perform Cybersecurity Due Diligence/Continuous Monitoring: In addition to immediate triage, it’s important to assess suppliers who furnish similar software to evaluate their cybersecurity practices as copy-cat attacks are a strong possibility. Again, automated risk assessment/monitoring applications will help here – provided they have insight across your supply chain.
  6. Stay Updated with Official Information: Monitor official information from Progress Software and other sources for updates.

Emphasizing Resilience by DesignTM

In a world of escalating supply chain cyber-attacks, the MOVEit breaches have highlighted the dangers of digital concentration risk and the need for robust third-party risk management practices. This incident is only the latest to emphasize the importance of proactively and continuously assessing enterprise supply chain cybersecurity backed by a robust incident response plan.

More broadly, the attacks stress the need for organizations to take control of risk for competitive advantage by ensuring resilient design in supply chain cybersecurity strategies. Per Interos’ latest annual survey of procurement leaders, cyber-attacks were the second-greatest concern for supply chain leaders, after supply shortages – costing large companies $43M a year, on average. Additional survey risk insights can be downloaded here.

By embracing Resilience by DesignTM, organizations can overcome risks, simplify their business, and deliver results. It’s not about avoiding the inevitable but about planning and reducing the impact and the time and resources required to restore normal operational performance.

Cyber-attacks and ransomware are inevitable – every organization will be impacted by one at some point – but with continuous multi-tier monitoring, and comprehensive recovery planning, we can minimize the damage and maximize profitability.


More ‘Critical’ Firms Face Tougher Cyber Laws

By Geraint John

Companies in critical industries on both sides of the Atlantic face more stringent cybersecurity regulations as governments seek to boost national security and operational resilience.

New laws passed in the U.S. and Europe call for rapid reporting of significant cyber attacks and ransom payments, improved cyber risk management practices, a greater focus on supply chain partners such as IT and cloud services providers, and stronger collaboration between the public and private sectors.

Crucially, the legislation also extends the range of firms covered from those operating core infrastructure. That includes everything from water and transport to services such as banking, telecommunications, and healthcare, along with manufacturers of food, chemicals, pharmaceuticals, medical devices, and other “essential” products.

White House and SEC Work to Improve U.S. Critical Infrastructure Cybersecurity

In the U.S., the Biden Administration published its National Cybersecurity Strategy at the beginning of March. The first of its five pillars is titled “Defend Critical Infrastructure.” The strategy is aimed at both federal agencies and private-sector companies.

The strategy document argues that “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.”

As well as targeting critical infrastructure providers, it also pledges to “drive better cybersecurity practices in the cloud computing industry and for other essential third-party services” that these organizations depend on.

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, which requires companies to report certain types of cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransom payments within 24 hours.

CISA is currently working on implementing the reporting requirements, which must take effect by September 2025 at the latest.

Separately, the Securities and Exchange Commission (SEC) is expected to finalize its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules in April. These will require public companies to report “material” incidents within four business days. They must also provide updates on previous cyber attacks.

European Union Upgrades its Main Cybersecurity Directive

In Europe, the new Network and Information Security (NIS2) directive came into force on January 16th. It replaces the first-iteration NIS law, which has been operating since 2018. NIS2 is designed to strengthen security requirements, reporting obligations, and supply chain cybersecurity.

NIS2 also provides for stricter enforcement, with administrative fines of up to €10 million or 2% of global revenue for non-compliance.

Like the U.S. legislation, NIS2 expands its scope to a broader range of “critical sectors and services,” including information and communications technology (ICT) providers.

The new directive joins a raft of other new European Union laws, including the Digital Operational Resilience Act (DORA) for financial services and the Critical Entities Resilience (CER) Directive, which addresses physical security and terrorism, as well as cybersecurity.

E.U. member states have until October 17th 2024 to transpose NIS2’s measures into national law.

A European Parliament briefing document on NIS2 argues that companies need to invest more in cybersecurity. It cites study data suggesting that E.U. organizations spend on average 41% less on cybersecurity than their U.S. counterparts.

Interos Analysis: Cyber Risk Status in Energy and Healthcare Firms

To assess the impact of this spending gap, and to identify where cybersecurity practices are most in need of improvement, Interos conducted an analysis of cyber risk scores for the top 10 U.S. and European (E.U. plus U.K.) electric utilities, energy, and healthcare (pharmaceutical manufacturing) companies using our newly enhanced cyber risk model.

This analysis found that:

  • Overall company cyber risk scores – calculated from 20 subfactors and 91 attributes at both a firm and country level – vary widely. They go from a low of 59/100 — in the case of a European oil company — to a high of 82/100 for a European renewable electricity generator. The median score of 66 equates to only a “medium” level of cybersecurity protection.
  • At the firm level, U.S. and European companies are on a par, with both having a median score of 62/100. U.S. electric utility and energy companies score four points higher on average than their European counterparts, while in healthcare (pharma) the reverse is true. Again, all scores indicate medium levels of risk, which suggests plenty of room for improvement in cybersecurity practices.
  • The weakest areas of firm-level cybersecurity are in software-as-a-service bill of materials (SaaSBOM) vulnerabilities (average score 35/100), advanced persistent threat (APT) group activities (43/100), and compliance with public cybersecurity standards and frameworks (47/100) – a key element in the new legislation. There is also a big variation of scores between companies in web application security, web encryption, network filtering, e-mail security, and software patching.
  • At the country level, European firms score two points higher on average than those in the U.S. (82/100 against 80/100, indicating low cyber risk). The U.S. is rated significantly higher for its digital infrastructure (92 vs 65), and somewhat higher for cyber governance, resilience, and international collaboration. European countries score 20 points better on average on the risk of data access and manipulation in their business environment and as a geographic target for cyber attacks.

Transparency and Collaboration Vital to Manage Critical Infrastructure Cybersecurity

Cyber risk scores for critical infrastructure firms and their key suppliers, together with the new American and European legislation, are set to bring a new level of openness to cybersecurity.

Last week, during a webinar hosted by Interos, data partners BitSight and Equifax welcomed this development.

Commenting on the new SEC rules, Derek Vadala, chief risk officer of BitSight and a former chief information security officer at Moody’s, said the rules would bring much-needed transparency and culture change to the industry.

While it will take time for companies to understand what the new rules require, those companies that are more open about how they manage cyber risks today – for example, by publishing annual reports – are in a better position than those that do the bare minimum, Vadala argued.

The credit reference agency Equifax is also following this approach. It has published a cyber strategy and roadmap report for the past three years. According to Zach Tisher, its vice president of security risk, strategy and communications, “Security should not be a trade secret.”

As well as more open disclosure, Tisher argued that:

  • Employers need to bake cybersecurity into employees’ compensation plans to incentivize and reward good behavior.
  • Training must move away from the one-hour annual compliance session and be tailored better to staff needs.
  • Point-in-time questionnaires sent to suppliers and third parties aren’t sufficient; instead, real-time monitoring of cybersecurity controls is necessary.
  • Better collaboration with partners and vendors is vital to manage growing supply chain threats and requirements.

Third-party risk management has been the biggest trend in cybersecurity during the past couple of years, Tisher noted. “Supply chain is a top threat vector and it’s increasing all the time.”

This means that companies need to focus their cyber risk management efforts as far upstream as their sixth parties (tier-4 suppliers), he added.

Modeling Supply Chain Cyber Risk in a Disrupted World

By Andrea Little Limbago

On March 2, the Biden Administration announced a new National Cybersecurity Strategy. The need for a strategic change should not come as a surprise — Interos’ 2022 Resilience survey of 1,500 procurement and cybersecurity leaders revealed supply chain disruptions from cyber incidents alone cost enterprises $37M annually. Estimates of the global annual cost of cybercrime exceed ten trillion dollars.

Interos is closely monitoring the rising costs of cyber disruption and the continuously changing state of play, among other factors. We’ve refined and updated our cyber risk factor, one of the six factors within the Interos i-ScoreTM, in light of these and other trends shaping cybersecurity. The enhancements include a new cyber behavior model to detect potentially harmful cyber activity regardless of public disclosure, along with combining commercial cyber ratings, vulnerability information (CVEs), threat assessment (Mitre ATT&CK®), cyber events, regulatory compliance, and operating country regulations and risks into a single score.

You can read about those details in our press release. This blog will focus on those strategic factors driving these changes and the challenges in developing a solution that delivers cybersecurity insights to non-experts, all within the backdrop of the generational shift underway in the international system.

Trends Driving The Need for Change in Cyber Risk Modeling

To address the growth in scope and scale of cyberattacks (and their ripple effect across the supply chain) the Biden administration’s new National Cybersecurity Strategy is putting more responsibility on vendors and service providers. This is part of a larger trend prompting organizations to prioritize long-term collective investment in cyber resilience – and is reflective of Interos’ collective resilience approach to cyber.

Cyber leaders are also increasingly acknowledging the human element and assessing those risks through a socio-technical lens. This has led to both a focus on user interactions as well as the growth in new compliance frameworks and regulations. That’s why the enhanced Interos cyber risk factor accounts for compliance with CSF V1.1, NIST SP 800-53, PCI DSS V3.2.1, and other standards, as well as the global expansion of data privacy and cybersecurity regulations.

To that end, an organization’s geographic location plays a crucial role in both compliance and data risk levels. This variation stems from differing levels of data sovereignty which depend on the localized cyber and privacy environment. Risks surrounding the concentration of the physical infrastructure underpinning the internet also pose a significant challenge, as seen in the case of Russia’s cyberattack on ViaSat’s services in Ukraine or the disconnection of undersea cables which happened in Scotland and France.

The adoption of collective resilience (creating shared supply chain and operational strength) is accompanying our broader understanding of the range of cyber risks, which is why collaboration is prioritized in national and international cyber strategies. As Alejandro Mayorkas, the Secretary of Homeland Security, noted, “We have to drive the entire ecosystem to be more cyber vigilant.”

Developing Interos’ Enhanced Cyber Risk Model

Tackling Key Challenges in the Cybersecurity Landscape

Development of this new model address two core challenges:

  1. Aggregating Data into Intuitive Formats: The difficulty of integrating disparate data sets in a timely manner and presenting them in an intuitive, explorable format. We recognize that many cybersecurity tools are designed for information security professionals, making them inaccessible to others involved in risk management.
  2. Understanding Behavior: The importance of understanding both threat actors’ and defenders’ behaviors and integrating that knowledge to identify the most relevant risks.

Cyber has an interesting data problem in that there is a data deluge and a data desert at the same time – meaning there is so much data, but it’s not always the relevant data. The Interos model addresses the above challenges by focusing on integrating and presenting the range of these trends (over individual data points) to capture the core areas of vulnerabilities, threats, compliance, and adverse cyber events. Through this holistic approach we can provide a comprehensive view of cybersecurity risks across the entire supply chain ecosystem, from vendors and service providers to critical infrastructure and sensitive data.

We also utilized the extensive community work and expertise from federal organizations like NIST CVE and MITRE’s ATT&CK framework while accounting for both opportunistic and targeted threats by identifying industries/groups most susceptible to targeting, and vulnerabilities most likely to be exploited. Our approach also focused on quantifying data risks across locations by merging different data types to capture the diverse data sovereignty and global risk environments — a project we presented at Black Hat cybersecurity conference a few years ago.

Implications and Value: Uncovering Hidden Cyber Risks and Enabling Proactive Measures

The implications of this new model are vast. It highlights areas of risk that often are not brought together, allowing users to take action to decrease cyber risk. This may include reaching out to critical suppliers that may be at risk and coordinating a plan to elevate their defensive posture, or identifying those key parts of their supply chain located in areas where the data may be more at risk due to an adverse regulatory environment.

The Interos model surfaces a range of cyber risks, while contextualizing those risks within a broader supply chain risk framework. For instance, users can identify who might be at high cyber risk as well as high financial risk, since these suppliers may not have the resources to grow their defensive posture or could be extremely vulnerable to insolvency if attacked given the cost of breaches.

Personal Observations: Expanding Access to Cyber Risk and Addressing Global Challenges

Two particular aspects of this project are especially important to me, in terms of their ability to address broader systemic challenges across the industry that have significant implications for the future:

  • Addressing the cyber industry’s gatekeeper problem, which restricts risk assessment access to those with information security technical expertise. Interos’ updated model marks a significant stride towards broadening access to cyber risk assessment outside of an enterprise’s Security Operations Center.
  • Further integrating supply chain risk and cyber risk, particularly in the context of a re-globalized world economy, technological bifurcation, and the geopolitical fracturing of the internet. This integration is essential for fostering cyber vigilance and tackling the challenges presented by emerging technologies and global competition.

A modernized approach to cyber risk will be an essential tool for organizations exploring how to adapt to a changing global order whose shifts are being felt across supply chains, geopolitics, and technology development. Interos’ enhanced model for evaluating cybersecurity risk across supply chains signifies a significant step towards that goal.

By expanding access to meaningful cybersecurity information, through a multi-factor, supply chain-wide approach, we can enable organizations to proactively manage and mitigate risks on a far greater scale than ever before, bringing non-cyber experts into the decision room, and fostering resilience and success in this ever-evolving global landscape.

Satellite Supply Chain Concentration Risk: Starlink and the U.S. Dominate the Market

 By Geraint John

Satellites are becoming the new supply chain battleground in critical infrastructure as countries seek to bolster their military capabilities and national security against the threat of war.

However, this is not some James Bond-style plot in which rival powers vie for control of space-based nuclear weapons, as in the 1995 film GoldenEye, but something more prosaic: a quest for bomb-proof internet connectivity.

Ukraine’s success in stemming the Russian army’s advances across its territory have been credited, at least in part, to its access to Starlink, a constellation of more than 3,000 low-orbit satellites owned and operated by Elon Musk’s company, SpaceX.

Ukraine’s military relies on Starlink’s fast, reliable internet access to share battle plans, co-ordinate operations and target Russian positions.

In the words of a Ukrainian soldier quoted in a recent Economist article: “Starlink is our oxygen.” Without it, “our army would collapse into chaos”.

The Satellite Supply Chain: Low Orbit, High Potential

Other nations concerned about their vulnerability to attack and the security of their land- and seafloor-based fiber-optic cables for internet traffic, are keeping close tabs on Ukraine’s experience.

Taiwan, which has seen tensions with China escalate during the past year, is reported to be seeking private investment to establish its own satellite communications network.

China itself has submitted plans for a 13,000-satellite constellation, Russia has designs on a 264-satellite network, while the European Union agreed late last year to begin developing its own low-orbit system.

Japan, South Korea and Australia are among other countries looking to operate similar constellations of their own in the future.

Unlike traditional geostationary Earth orbit (GEO) communication satellites, which fly more than 35,000km above the planet’s surface, low-Earth orbit (LEO) satellites operate much closer to home.

Starlink’s satellites orbit just 550km from Earth, which means they can receive and transmit data much faster, making high-bandwidth internet streaming and video services possible.

Other benefits include the fact that:

  • They communicate with users on the ground via portable and easily powered receiving equipment
  • Their (stronger) signals are harder to jam
  • Russian efforts to hack them have so far been ineffective
  • Because there are hundreds of satellites serving each location, physically taking the network down – through, say, a missile attack – would require enormous scale and vast expense.


America’s World Domination May Lead to Imbalanced Supply Chains

The United States dominates global satellite ownership, with 63% of the almost 5,500 commercial, military, civil and government satellites launched to date, according to data compiled by the Union of Concerned Scientists (UCS), a U.S.-based nonprofit organization.

Its dominance in LEO satellites – which comprise 86% of the total satellite population – is even more pronounced, thanks to Starlink.

The U.S. owns almost 50 times as many LEO communication satellites as Russia, and almost 90 times more than China, according to UCS.

Building on this data, Interos has created a satellite concentration and diversification metric. The metric demonstrates the resilience the U.S. has in this area, with extremely high satellite diversification, whereas Russia and China are both rated a high concentration risk.

This is good news for supply chains in the U.S., but those in less diversified areas may increasingly be more prone to internet disruptions or complete blackouts.

Taiwan has just one GEO communications satellite, through a joint venture with Singapore’s telecoms provider, while Ukraine doesn’t own any and relies on those of its allies.

Communications Satellites Owned by Selected Countries.

While Considering Future Satellite Trends, Beware Single Sources in Space

Aside from the potential for cyber interference in this newly critical and rapidly expanding infrastructure, from a supply chain perspective the main risk is arguably the extreme concentration of suppliers.

At present, Starlink is a de facto monopoly for customers outside of China and Russia, because of its dominance of launch capacity. Its Falcon 9 rockets took off more than 60 times last year and each is capable of carrying over 50 LEO satellites.

Rivals Blue Origin, owned by Jeff Bezos, the United Launch Alliance – a joint venture between Boeing and Lockheed Martin – and France’s Arianespace are all in the process of readying new rockets.

UK-based OneWeb – which partners with France’s Eutelsat and Airbus – is currently dependent on SpaceX after its access to Russian launch facilities was scuppered last year. And Virgin Orbit last month failed in its inaugural attempt to launch nine LEO satellites from British soil using a rocket mounted below a reconfigured 747.

Interos has implemented a new satellite concentration risk score, which evaluates the concentration of accessible communication satellites in a country. A country with more satellites or increased access receives a high score and has less risk of satellite disruptions. This score currently shows France as being very high risk – even higher than Russia and China – whereas the UK is medium risk. However, diversification should be an important objective for these and other countries over the next few years.

While industry analysts expect there to be four or five active competitors in this global market eventually, for now SpaceX can call the shots.

For example, although it abandoned a suggestion in October that it would start charging Ukraine for its services, it has restricted use of its network in Russian-occupied territory such as Crimea, according to The Economist.

Government, military and commercial procurement chiefs would therefore be wise not to put all of their bets in this new space race on Mr. Musk’s satellite network, which may well become the next frontier in supply chain concentration risk.