Hezbollah Device Explosions: A Stuxnet Moment for Supply Chain

Author: Dr. Andrea Little Limbago 

An Inflection Point

Almost six years ago, Bloomberg published a report on Chinese government infiltration of 30 US companies through the technology supply chain. This report was highly controversial within the cybersecurity community and remains openly disputed regarding the validity of inserted ‘spy chips’. Since then, there has been less focus on infiltrated technology supply chains, as the pandemic and trade wars shifted attention away from espionage and toward more traditional industrial policy and risky businesses within the supply chain ecosystem. 

On September 17 and 18, 2024, infiltrated pagers and walkie talkies exploded across Lebanon, escalating the decades-long conflict between Israel and Hezbollah. While investigations remain ongoing, reports point to Israel infiltrating a complex supply chain of devices sold in Hungary, and authorized to sell on behalf of a Taiwanese company, Gold Apollo. While the company sold devices to the broader population, those sold to Hezbollah contained the explosive PETN. As more information becomes available, a picture will likely unfold of complexity and extremely targeted backdoor infiltration of a technology supply chain.  

This past week’s attacks in Lebanon are an inflection point, expanding technology supply chain risks toward supply chain sabotage, and shifting all rules of engagement in supply chain security and modern warfare. Whether or not ‘spy chips’ occurred in the past, given the shift in norms, a line has been crossed, rendering technology supply chain infiltration a growing supply chain security risk in a tenuous geopolitical environment. 

New Rules of Engagement in Modern Warfare 

The supply chain infiltration behind the attacks is on such a distinct scale and scope, it is reminiscent of the turning point from the Stuxnet cyber attacks, described as the world’s first digital weapon. In 2010, reports surfaced that several zero days exploits simultaneously sabotaged Iranian nuclear enrichment facilities. Most research identifies U.S. and Israeli intelligence as the creators of the exploits, which weren’t widely noticed until they spread beyond the Natanz facility.  

Viewed as the first digital weapon to cause physical damage, it shifted all cyber norms and rules of engagement and opened Pandora’s Box to the modern cyber threat landscape. From the 2012 Saudi Aramco attacks where wiper malware destroyed over 35,000 computers to Russia’s BlackEnergy cyber attacks on the Ukrainian energy grid in 2015 and 2016 to Saudi Aramco to Iran’s failed penetration of New York’s Rye dam, physical infrastructure by cyber attacks is no longer unexpected or unprecedented. In fact, earlier this year FBI director Christopher Wray detailed how China is burrowed deeply within US infrastructure.  

The Tipping Point for Security Risk 

In a similar manner, just as Stuxnet upended the norms of cyber behavior and physical destruction, the explosive devices used against Hezbollah will upend all norms behind supply chain infiltration and destructive effects. There already has been a growing national and economic security concern over risky businesses within the supply chain ecosystem. Since 2016, the US has added thousands of companies to a range of sanctions lists, many of which are deemed national security risks.  

Five years ago, the Pentagon blocked military from purchasing phones made by Huawei and ZTE due to national security risks. This has been a growing trend across the globe, as India blocked Chinese apps, China blocked Kaspersky and Semantic, Australia removed Chinese security cameras and so on. These have often been coined backdoor risks, as companies legally enter a supply chain ecosystem without any need for obfuscation. 

These have generally focused on software, not hardware, backdoors into systems. Last week, we may have witnessed the tipping point for hardware backdoor supply chain security risk based on the insertion of illegal or unknown physical parts. While distinct in its execution, there has been growing concern over the security of the hardware supply chain. 

The US CHIPS and Science, in part, targets this risk by incentivizing the manufacturing of semiconductors domestically. Nevertheless, the exploding devices manifest the real-world impact when foundational technologies are used as Trojan horses to carry out military objectives. As we have seen with Stuxnet, once that Pandora’s box is opened, it is a game-changer in the risk landscape and global norms. 

How Can Companies Protect Themselves in this New Norm? 

To prepare for yet another significant disruption shaping the new normal, there are several steps organizations can take.  

First, foundational risk approaches still hold true but require even greater diligence. Perfunctory risk processes are inadequate for this risk landscape. Know your supplier (KYS) takes on even greater importance, not just within direct suppliers but across the entire supply chain ecosystem. This, in turn, requires augmented visibility across your supply chain, a difficult feat due to the hyperspecialized and complex supply chains built over the last few decades where geopolitics was not taken into account. 

Gaining that visibility is just the start, additional context is required. For instance, are any of the thousands of restricted companies present several tiers within your supply chain? In many cases, these companies have already been linked to data exfiltration, it is not a great leap to consider hardware infiltration from these same technology companies.  According to Interos data, 148 (~30%) S&P 500 companies have a direct supplier relationship with a banned company, risking severe civil and criminal penalties, 19% of which are in the Computer and Electronic Product Manufacturing industry.  Beyond these direct (tier-1) suppliers, virtually every S&P 500 company has sub-tier (tier-2, tier-3 and beyond) supplier relationships with at least one at-risk or restricted company.  

This has always posed a regulatory risk, but the national and economic security risks must also feature in supply chain security risk assessments. While last week’s attacks were not via a restricted company, those technology companies on restricted lists represent a more probable pathway to hardware infiltration and warrant heightened alert. 

Tracking the latest in restricted companies is difficult as there is no single consolidated list across all U.S. and international organizations. Fortunately, Interos simplifies this process by surfacing several dozen restrictions lists across the US, Five Eyes, and international governmental organizations, extended across the entire supply chain ecosystem. These companies, especially those in technology, are at the highest risk of technology supply chain infiltration. These companies do not only pose a regulatory risk but could also interdict data or sabotage on behalf of adversaries. 

The stark reality of this new era is that the geopolitical risk stems much broader than restrictions – companies and governments need visibility into all areas of supply chain risk: financial, cyber, ESG, geopolitical and catastrophic risk.

In short, the globalized era of entangled supply chains absent geopolitical considerations is over. 

Supply Chain Security: Time to Double Down 

Almost a decade ago, the fictional political thriller Ghost Fleet imagined a future war beginning with supply chain infiltration. In this futuristic scenario, China hacks the U.S. electronics supply chain, disrupting everything from navigation systems to fighter jets. The digital revolution – or the fourth industrial revolution – continues to shorten the time frame between futuristic scenarios and modern reality.  

As Stuxnet demonstrated almost fifteen years ago, the shifting cyber attack landscape quickly expanded beyond governments and into the public sector. The device explosions in Lebanon similarly crossed a new line and will accelerate the pace at which the technology supply chain is exploited by government and non-government actors alike. Whether the Bloomberg report proves valid or not, the supply chain infiltration of the devices introduces similar supply chain security risks – it’s no longer a matter of if, but when a technology supply chain infiltration will occur again.  

Just as software backdoors have increased in prevalence, the same may soon be true of hardware backdoors, making it all the more critical for a fresh look and reprioritization of supply chain security. 

We are here to help. Speak to a risk intelligence expert today.  

 

Taming Digital Supply Chain Threats: NYSE CISO’s Battle Plan for the AI Era

Author: Dianna O’Neil 

In Interos’s latest Voices of Innovation session, NightDragon Founder & CEO Dave DeWalt, tackled today’s new breed of digital supply chain threats with Steve Pugh, Chief Information Security Officer (CISO) of the Intercontinental Exchange, Inc., better knowns as the New York Stock Exchange. As CISO, Pugh is responsible for securing critical economic infrastructure across multiple subsidiaries, geographies, and regulatory jurisdictions. 

Together Pugh and DeWalt explore the fluid landscape of digital risk and the critical role of AI supply chain risk intelligence in addressing escalating threats.  

Speed and Scale: The Core Challenges 

Pugh emphasized that the fundamental issues in digital supply chain risk management are the speed and scale of dispersed and sophisticated threats originating from bad actors, cyber criminals, adversarial nations, and other dynamic and fast-moving entities all over the world. “The key for a lot of my peers and colleagues is how do we keep up and innovate at that same speed [as bad actors], and then match the scale?” Pugh emphasized the staggering complexity of today’s attacks underscore the need for rapid adaptation and scalable solutions in the face of evolving risks. 

Building on this, DeWalt described the current global threat environment as “the perfect supply chain risk storm,” highlighting flashpoints with implications for digital supply chain stability.  

  • Heightened geopolitical tensions 
  • Regional conflicts 
  • Shifting dependencies on nations 
  • Increased cyberattacks targeting supply chains and third-party providers 

Unmasking “Unknown Unknowns”

Against this backdrop, Pugh noted the need to effectively communicating supply chain risk to high-level stakeholders, including corporate boards, to align on critical threats and move from insight to action, aided by emerging technologies that allow enterprises to take a proactive security posture. 

Pugh emphasizes two domains: visibility and control. “At the board level, we talk about it in two domains. The first is visibility, and then the second is control. And you really can’t talk about control unless you have the right level of visibility in your supply chain.” He focused on the critical importance of comprehensive supply chain visibility, using AI risk mapping and monitoring, as a prerequisite for effective risk management. 

Pugh elaborated by referencing Donald Rumsfeld’s “known knowns, unknown knowns, and unknown unknowns” matrix. He stated, “There’s a lot of unknown unknowns… that’s where the complexity really gets tough.” To illustrate this complexity, he shared an example from the experience of colleague at external engineering firm: that person experienced a catastrophic incident caused by “one bolt from a supplier somewhere in the world” failing—not due to malice but simply due to negligence or defect. He drew a parallel with third-party software and technology providers, noting how vulnerable third-party software solutions from obscure tiers of the supply chain can have significant consequences across interconnected digital supply chains. 

AI to the Rescue

Both DeWalt and Pugh expressed optimism about the role of AI and advanced risk intelligence in addressing supply chain challenges, particularly the ability of AI to deliver enhanced visibility and risk analysis at speed and scale. 

AI enables the ingestion and analysis of vast amounts of data from various sources, providing insights into complex supply chain relationships in real-time. Pugh explained, “AI can come alongside us and almost be a companion, to scale up and do so at speed and reason over all of these different data points.” Given the hundreds of millions of businesses globally, with billions of sub-tier supply chain interdependences, this capability is crucial for managing multi-tier risks effectively. 

Pugh detailed three primary ways AI is enhancing software development and security: 

  • Reasoning over code to find and fix defects quickly 
  • Generating cleaner, more secure code 
  • Enabling co-development with AI for native integration 

“We end up in this place where… you end up with some really good code that has fewer defects,” Pugh noted. He elaborated on how AI can create a “virtuous software development cycle” that significantly reduces potential vulnerabilities over time. 

Converging Physical and Cyber

Pugh’s role at NYSE encompasses both physical and cybersecurity—a trend that DeWalt sees increasing across industries. This convergence allows for a more comprehensive approach to risk management since physical threats can impact digital assets, unleashing a ripple effect with devastating financial consequences. 

Amid these changing dynamics, Pugh sees the CISO role evolving into that of a “risk business partner” to company leadership. “I think the role of the CISO is evolving to become more of a risk business partner,” he explained. This broader perspective allows for a more holistic approach to security and risk management across an organization. 

Channeling Optimism

As digital supply chain risks continue to evolve and expand, integrating AI technologies and continuous supply chain lifecycle risk intelligences alongside converging physical and cybersecurity offers promising solutions. Pugh’s final thoughts reflected a promising outlook: “I am optimistic on AI… I think it’s something that will certainly help us.” By embracing these generational innovations while maintaining a real-time view of risk management, organizations can better navigate the complex and fraught landscape of global supply chains in the digital age. 

Technology such as Interos Watchtower™ utilizes AI to continuously map and monitor relationships across the risk lifecycle to help enterprises mitigate physical and digital threats before they escalate to crisis. 

To learn more about how Interos can fortify your supply chain, contact us 

 

 

Why AI Risk Intelligence Is Key to Strengthening Digital Supply Chain Cybersecurity

Image: NOIRLab/NSF/AURA/T. Slovinský

Story by Alea Marks & Dianna ONeill

The second episode of Interos’s executive insights series, “Voices of Innovation,” explored how AI is enhancing digital supply chain cybersecurity – with former CISA Chief of Staff Kiersten E. Todt calling the issue an “urgent challenge.”

“The AI Revolution in Supply Chain Cyber Defense” discussion between Todt and Dave DeWalt, founder and CEO, NightDragon, comes against a backdrop of soaring software supply chain attacks that make today’s complex digital ecosystems acutely vulnerable to breaches, attacks, failures and other cascading disruptions.

Here are five key takeaways from their conversation:

1-Understanding and Managing Supply Chain Risk
The rise in software supply chain attacks has highlighted persistent and costly risks in interconnected digital supply chains, particularly as cybercriminals exploit vulnerabilities in third-party software components. Gartner projects that by 2025, 45% of global organizations will have experienced a supply chain attack, which is three times higher than in 2021

Todt stressed the need for visibility and transparency in managing latent third-party vulnerabilities:

“I do think it’s one of the most urgent challenges to be addressed because we don’t know all the interdependencies [that exist] and we have to have greater visibility into all of the touchpoints that we have. Understanding our third-party risk, understanding where third-party supplier vendors are not as strong or resilient as we need them to be, is critical.”

Recent data shows that 61% of businesses have been impacted by supply chain attacks in the past year, highlighting the extensive attack surface and the urgent need for proactive measures. AI-driven  intelligence – which has the power to continuously monitor supply chain lifecycle risk at scale – is vital amid these realities.

2- Government and Industry Partnership

The collaboration between government and industry has led to approaches like Secure by Design, which emphasizes integrating security measures into the development process from the beginning, rather than adding them later, and ensuring a careful balance between security and innovation:

“The prioritization of security over getting something out there is what needs to happen. Secure innovation doesn’t have to be an oxymoron,” Todt said.  “If we think about cybersecurity, progress is security, it is safety. That is the principle […] that we’ve seen from the government leaders, but importantly as partners with industry, that we’ve seen prioritized.”

3- Opportunity Over Sophistication

DeWalt noted the importance of identifying “choke points” in the supply chain, as demonstrated by third party cyber vendor incidents in companies like Change Healthcare and auto dealership software company CDK. Todt emphasized that risk is often about opportunity rather than sophistication:

“When you look at Colonial Pipeline, that company for all we know was not targeted because it was transferring 45 percent of fuel along the East coast, it was targeted because it didn’t use multifactor authentication and in a broad sweep its vulnerabilities percolated to the top. A lot of this activity is just looking for where the vulnerabilities are. It’s so important to appreciate not just where they are, but what do you need to function? What do you need to be efficient? What does your supply chain and your manufacturing process need to actually operate?”

Interos Watchtower™: The Necessary Visibility

DeWalt emphasized the complexity of global supply chains, where today’s large enterprises can easily maintain tens of thousands of suppliers across their extended global networks. Identifying and understanding supplier risk across these interdependent ecosystems is crucial, and new technology such as Interos Watchtower™ utilizes AI to continuously map and monitor relationships across the risk lifecycle to help enterprises mitigate supplier failures before they escalate to crisis.

By leveraging AI and real-time critical risk intelligence, companies can enhance their resilience against cyber, regulatory, ESG, and other threats, ensuring that their digital supply chains remain secure and efficient.

Enabling the Future with AI Supply Chain Intelligence

AI technologies are revolutionizing supply chain security by enabling advanced analytics and real-time risk detection, monitoring, and other advantages. These capabilities allow organizations to anticipate potential supply chain disruptions in advance to rapidly mitigate threats and optimize resource allocation.

To watch the replay of Todt and DeWalt’s conversation click HERE.

To learn more about how Interos can fortify your supply chain contact us HERE.

 

 

 

IT Outage Impact Analysis – At Least 674,000 Enterprise Customers at Risk of Disruption Globally

by: Deverick Holmes, Operational Resilience Consultant, and Mackenzie Clark Senior Computational Social Scientist

This report details the global outage involving CrowdStrike, highlighting the incident’s domestic and international impact on trade and business operations. Interos has provided a detailed timeline of events and recommended steps customers should take here.

Summary

CrowdStrike was involved in a global IT outage that has highlighted the vulnerability of interconnected global supply chains. The outage impacted 674,620 direct customer relationships of CrowdStrike and Microsoft, and over 49 million indirectly, according to Interos data. While the U.S. was the most affected country, with 41% of impacted entities, the disruption was also felt at major ports and air freight hubs in Europe and Asia. Ports from New York to Los Angeles and Rotterdam reported temporary shutdowns, while air freight suffered the hardest blow, with thousands of flights grounded or delayed. The outage exacerbates existing supply chain challenges amid rising global demand and freight prices, highlighting the potential long-term implications for global trade and finance.

Another Global Trade Disruption

The interconnected nature of global supply chains means international trade will experience ripple effects due to even temporary shutdowns. This comes as freight prices skyrocket and shipping demand rise. When using Interos data to understand how expansive the trickle-down effects of the outage are, the results are striking.

Interos analyzed the extended supply chains of both CrowdStrike and Microsoft, whose Microsoft 365 systems were disrupted as part of a CrowdStrike update, leading to outages for Microsoft users across the world. When examining the direct customer relationships (Tier 1) of both Microsoft and CrowdStrike, Interos was able to identify 674,620 customer relationships. When expanding the scope of impact to include the customers of Microsoft and CrowdStrike’s customers (Tier 2), the number of customer relationships identified by Interos data grows to over 28 million, and when going one step further (Tier 3), that figure increases to over 49 million customer relationships.

The outage has had varying levels of impact across Union Pacific’s freight network while Ports from New York to Houston and Los Angeles reported temporary container terminal shutdowns overnight but were mostly operational by early morning. Rotterdam, the largest port in Europe, said some companies operating at its terminal were impacted. On average, the port at Rotterdam handles approximately 1.3 million tons of cargo daily. This includes a diverse range of goods such as containers, bulk commodities (like crude oil, coal, and iron ore), and various other cargo types. In addition, UK ports of Felixstowe and Tilbury have all been confirmed to be suffering from major IT outages while similar issues were reported at ports in Poland and Asia.

Air freight was hit the hardest, with many global airlines grounding flights and the complex air cargo system facing a recovery period that could last days or weeks. Thousands of flights were grounded or delayed at the world’s largest air freight hubs in Europe, Asia, and North America. These hubs are critical nodes in the international logistics network, handling vast quantities of cargo daily. The grounding of these flights may lead to trickle down delays in the movement of goods, impacting various industries. The semiconductor supply chain, for example, relies heavily on air freight to transport finished products from manufacturing centers in the EU and Asia to markets in the U.S., has been particularly affected. This new issue for the global supply chain comes amid a rise in global demand and prices, driven by the ongoing conflict in the Red Sea and climate change impacting trade routes, with shipments up 13% year-over-year in June, while air freight supply has only increased by 3%, already causing higher costs for shippers due to limited capacity. As it may take days or weeks for airfreight companies to fully bring their systems back on-line this will only exacerbate the ongoing supply chain hurdles facing the global market.

Interos Data Shows U.S. & European Entities Highly Impacted 

According to data from Interos, the outage potentially impacted 674,476 entities globally, with 280,760, or 41%, of these being in the United States. Given that the U.S. is a major economic engine for global trade, this outage may have significant short-term implications for international commerce and finance.

 

Interos data would also indicate that European countries are highly exposed to this event. Within the top ten countries listed in the chart above, several are in Europe: the United Kingdom, Germany, Italy, France, Spain, The Netherlands. Combined, these countries account for 186,749 of entities, or 27.68%. While this does not account for the entire European continent, this figure underscores the global nature of this outage.

U.S. companies whose systems remain down are exposed to increased cyber risks. When systems are offline or experiencing disruptions, it becomes harder to implement standard security protocols and monitor for potential threats. This downtime can create vulnerabilities that cybercriminals may exploit, such as weakened defenses, unpatched software, and delayed security updates.

U.S. consumers have reported issues with declined credit card transactions, disrupting personal and business activities. Additionally, U.S. airlines, which play a crucial role in facilitating cross-border business, have experienced widespread cancellations and delays. This disruption in airline operations could lead to delays in business meetings, shipments, and other critical economic activities, further exacerbating the impact on global trade. With critical systems and data at risk, these companies face a heightened possibility of cyberattacks, including data breaches, ransomware attacks, and unauthorized access. Moreover, the inability to detect and respond to threats in real-time during such outages can exacerbate the potential damage, leading to significant financial losses, reputational harm, or regulatory consequences.

According to reports, CrowdStrike is utilized by 82 percent of U.S. state governments and 48 percent of the largest U.S. cities. Given its widespread adoption, a prolonged outage of CrowdStrike’s services could severely impact municipalities’ ability to maintain essential cybersecurity defenses. These state and municipal entities rely heavily on CrowdStrike Falcon’s advanced threat detection and real-time monitoring to protect sensitive data and critical infrastructure from cyber threats. Without these protections, municipalities could experience increased vulnerability to cyberattacks, such as ransomware, data breaches, and unauthorized access, potentially compromising public safety, emergency response systems, and the security of citizen information.

Furthermore, the disruption could hinder the ability of these governments to deliver public services effectively. Key functions such as water treatment facilities, public transportation systems, and healthcare services, which increasingly depend on digital infrastructure, could be at risk.

In addition to local municipalities, CrowdStrike is used by many prominent organizations across various sectors. Various U.S. government agencies, including parts of the Department of Defense and intelligence agencies, rely on CrowdStrike for its advanced threat detection. Major financial institutions across the U.S. and EU such as Goldman Sachs, Bank of America, and Santander also use CrowdStrike to protect their sensitive data, and giant retailers like Walmart and Target, as well as energy companies such as ExxonMobil and Exelon, also depend on CrowdStrike to defend against cyber threats and protect critical infrastructure. The system is particularly preferred by high-profile organizations worldwide for its ease of use and robust security features.

Outage Spans Multiple Industries

The direct effects of this outage also span a broad range of industries. While impacts to airlines and banks have been the most widely reported on, Interos data shows that companies in the professional services, wholesale, and various manufacturing industries make up the bulk of companies that are potentially experiencing disruptions.

Of those directly supplied by Microsoft or CrowdStrike, companies in the Professional, Scientific, and Technical Services industry make up almost 7% of customers, followed closely by companies in the Merchant Wholesalers industry, at almost 5% of customers, and the Administrative and Support Services industry, at over 3% of customers.

In total, Interos identified companies spanning almost 1,200 unique industries that are directly supplied by Microsoft or CrowdStrike. From the telecommunications industry, to hospitals, utilities providers, and even postal services, virtually no industry was left unaffected by this outage. These types of disruptions cause delays in critical infrastructure and the delivery of products services, leaving businesses and consumers across the world without access to key services or goods.

Interos’ data shows ongoing supply chain disruptions cost enterprises $100 million in annual losses on average. The company’s critical risk intelligence platform helps companies mitigate the financial impacts of multi-tier risks by continuously mapping and monitoring extended supply chains at speed and scale.

Learn how you can manage risk by exception, at scale. Speak to an expert today.

 

CrowdStrike Outage: Interos Update

CrowdStrike Outage: What Happened? 

Interos is monitoring the widespread IT outage affecting numerous sectors globally, including airlines, banks, telecommunications companies, and many others. We are proactively alerting customers to potential impacts across their supplier ecosystem via direct email notifications and a platform-wide notice and event summary. The Interos platform has not experienced any impact. 

Cybersecurity firm CrowdStrike, the epicenter of the disruption, published an official statement as of 9:22 am ET, July 19, 2024. 

“CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack.

The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website.”

Summary Timeline 

Thursday, July 18, 2024 

 Friday, July 19, 2024

  • 4:48am EST: Windows devices experienced issues due to a third-party software update, CrowdStrike reported on the Azure status page. 
  • Fri, 5:45am EST: On X, CrowdStrike CEO George Kurtz announced a fix for a defect in a single content update for Windows hosts, confirming the situation was not a security incident. 
  • Fri, 6:39am EST: Interos publishes event summary update regarding global IT outages triggering flight delays. 
  • Fri, 7:48am EST: The New York Times reported the outage was due to a flawed CrowdStrike security update, with a fix deployed, but ongoing issues expected. 
  • Fri, 7:54am EST: Interos issued automated Cyber Event Alert to all customers via our platform. 
  • Fri, 8:45am EST: Interos updates our platform’s Events Feed publishing a list of impacted banks and apps.  
  • Fri, 10:00am EST: Interos deploys event notice on front page of platform. 

Who is Impacted?  

According to company disclosures, CrowdStrike has over 21,000 customers, many of whom are large institutions, including many major airlines, banks, healthcare providers, and cloud providers, with thousands of computers and servers running the software. The protective system is utilized by 82 percent of US state governments and 48 percent of the largest US cities, resolving over 7 million incidents annually through its managed detection and response (MDR) service.   

Users have reported that their bank cards were being declined and HR departments have reported documents outages via ADP impacting payroll and other business operations. As of 12pm EST, over 2,000 flights canceled and more than 5,300 were delayed. 

Additionally, disruptions were not confined to only Microsoft customers, but all enterprises running CrowdStrike’s Falcon software. 

What Can You Do About it? 

In its Statement on Falcon Content Update for Windows Hosts, CrowdStrike published workaround steps for “individual hosts” and “public cloud or similar environment including virtual.”  

It’s worth noting that, according to news reports, U.S. customers may be less impacted because the incident occurred when many U.S. computers were off, and the corrected software was published before they were turned on. 

Companies interested in further investigating the impact of this incident on their operations must perform due diligence across their supplier ecosystem. CrowdStrike’s admission that the impact is isolated to a “single content update for Windows hosts” indicates that the impact radius is substantial.  

Recommendations:

  • Engage third parties / tier-1 suppliers to inquire if they have a material relationship with CrowdStrike AND rely on Microsoft hosting (Azure) or O365.   
  • If an existing relationship is identified, confirm with the supplier if CrowdStrike’s workaround steps and/or other mitigating actions were taken and if there is any material impact on the supplier’s operations that requires mitigation. 
  • If no mitigating action is necessary, companies should refer to established business continuity processes to protect against immediate operational risks.  

For Interos Customers   

  • Use the Interos Supplier-Buyer Relationships to identify sub-tier connections to CrowdStrike.  
  • Prioritize list for outreach, assign ownership for direct outreach, and execute the steps above.  
  • Create a group for this specific instance and enable alert notifications to receive updates via email.  
  • Investigate cybersecurity risk scoring and the potential changes to the security landscape for companies connected to CrowdStrike   
  • As an important security and threat management platform, there is an increased risk for cyber activity due to the platform being inoperable for some time, providing a potential window of opportunity for threat actors.   
  • Companies utilizing Interos’s premium support offering can engage the Operational Resilience Consulting team to perform a deep-dive analysis across their ecosystem.  

 

Spyware and Sanctions Create Emerging Supply Chain Risks

On the surface, the recent spyware campaign by the Vietnamese government against U.S. politicians may not seem relevant to supply chain risk. That would be a faulty assumption. More than 70 governments have deployed spyware over the last decade. While government officials and journalists are often the targets, the private sector is not immune. Businesses located in countries with governments deploying spyware and pursuing digital authoritarianism – widespread data and internet control – face a heightened risk of data exfiltration.

But spyware doesn’t just create cybersecurity risks, it also creates regulatory risk. Earlier this year, the Biden Administration introduced new restrictions on spyware companies due to the security risks they pose. Along with the UFLPA, these additions reflect a growing focus on human rights violators. These changes acknowledge “the increasingly key role that surveillance technology plays in enabling campaigns of repression and other human rights violations.”

In the new normal defined by geopolitical fault lines and a splintering of cyber norms, both the deployment and production of spyware should be a growing consideration for supplier due diligence and risk assessments.

The Proliferation of Spyware

Spyware is a form of malicious software installed on devices to collect information without the owner’s consent. Previously, governments had a near monopoly on these capabilities. However, thanks to the privatization of spyware, offensive cyber capabilities continue to proliferate among state and non-state actors. NSO Group, Cellebrite, and Candiru are just a few of the companies selling spyware. A recent Interos analysis assessed the number of spyware companies linked to national governments. The number reached into the double digits in some cases.

Global map showing how many spyware companies have been linked to a national government, by region. Hot spots include Mexico, Columbia, Morocco, Nigeria, Saudi Arabia, and Thailand.

These numbers only reflect the open source disclosure of spyware. In reality dozens of governments now possess some level of offensive cyber capabilities, the majority of which remain classified. China leverages spyware for widespread espionage campaigns, while reporting has linked numerous governments to Pegasus spyware. This year’s ODNI (Office of the Director of National Intelligence) Annual Threat Assessment notes “commercial spyware and surveillance technology, probably will continue to threaten U.S. interests.” ODNI estimates the commercial spyware industry to be worth $12 billion. Vietnam’s targeted deployment of spyware reflects this growing risk.

Spyware and Restrictions

The proliferation of commercial spyware and surveillance technologies is not only a security risk. It is also reshaping the regulatory environment. Section 889 of the 2019 NDAA was among the most expansive prohibitions against the use of surveillance technologies by federal agencies and their partners. Focused on Huawei, Dahua, ZTE, Hytera, and Hikvision, and their subsidiaries, Section 889 reflects the growing risks of surveillance technologies due to both data exfiltration risks as well as regulatory risks.

While Section 889 focuses on dual use surveillance technologies, this year’s Executive Order explicitly addresses commercial spyware focused on surveillance and data exfiltration. It has already resulted in several more companies being flagged as surveillance risks. This includes the addition of Intellexa and Cytrox to the Entity List. Initially, restrictions such as Section 889 largely focused on companies partnering with the United States governments. However this has been extended to a broader commercial restriction following the inclusion on the Entity list. This is not only a U.S. concern; the E.U. has called for a ‘de facto’ moratorium on spyware in May, while Australia has similarly debated controls on commercial spyware.

Looking Ahead: The Splinternet & Supply Chain Risks

Just as globalization and supply chains continue to be upended along geopolitical fault lines, so too does the internet. Reflecting opposing norms toward digital government intervention and data privacy, today’s siloed and fractured “Splinternet” introduces new digital risks across a company’s supply chain. Digital authoritarianism, wherein governments seek digital sovereignty and control over the Internet and the data passing through it, is on the rise and is powering the proliferation of spyware. While democracies are not immune from the use of spyware for national security, authoritarians are much less constrained on their use of offensive cyber capabilities across a growing population of targets.

The ODNI Annual Threat Assessment summarizes the national and commercial risks posed by digital authoritarianism and offensive cyber capabilities. Revelations of Vietnam’s use of spyware is not surprising to those following the expansion of digital authoritarianism. Over the last few years, Vietnam has adopted increasingly stringent data restrictions, including mandating local data storage and government control over data. These laws have prompted comparisons to Chinese digital authoritarianism and the data trap which eliminates corporations control over their own data.

Vietnam also is a top contender for companies seeking to diversify supply chains away from China. While it may provide favorable labor and economic environments, Vietnam’s cyber risks are often overlooked. While governments are more-frequently targeted than corporations by spyware, history has proven that it’s only a matter of time before business are equally under fire by adversaries with espionage or profit motivations.

Diversification with Cybersecurity and Regulatory Risk in Mind

As companies explore reshoring and supply chain diversification, the cybersecurity risk environment must be part of the calculation. A growing component of this analysis is the offensive deployment of spyware for data exfiltration. Similarly, surveillance technologies within a supply chain are also at heightened risk of regulatory fines and penalties. These heightened risks reflect ongoing geopolitical and technological transformations and introduce a range of opportunities and risks.

Those who prioritize and design operational resilience in sync with these transformations will gain a competitive advantage and be better prepared for the new normal compared to those who remain focused on the risks of yesteryear.

To learn more about how to identify and combat risks related to spyware in your supply chain, contact Interos. 

Navigating MOVEit: Six Lessons in Resilience for the Next Mass Supply Chain Attack  

The MOVEit computer virus recently surged back into the headlines with IBM and the Colorado Department of Health Care Policy & Financing confirming cyber-attacks that exposed the private health care data of millions of customers. The ensuing supply chain attacks have caused chaos for a growing number of victims spanning banks, hotels, energy giants and others. It’s no coincidence the events also saw the filing of five separate class-action lawsuits against Progress Software, the publisher behind the MOVEit file transfer application.

The breach, and the widening scope of damage, highlights the hidden risks posed by digital concentration risk – defined as high levels of dependence on massive, globally interconnected systems. In highly concentrated systems, a single vulnerability has the capacity to affect millions of entities. Various reports show at least 620 businesses and more than 40 million individuals have been impacted – over one-third via third party connections.

The incident underscores the constant battle to protect data and highlights the urgent need for a proactive approach to supply chain cybersecurity.

A Closer Look at the Attacks

Originating at IBM, the MOVEit attacks have affected hundreds of organizations, including the BBC, British Airways, Johns Hopkin’s University, multiple U.S.-based financial services firms, and even U.S. government agencies.

The breaches were carried out by exploiting SQL injection vulnerabilities, enabling hackers to access the server database. The CL0P ransomware gang was credited with the attack and has gone on a ransomware spree, contacting dozens of companies and demanding payments to prevent stolen information from being published online.

Six Steps to Respond Proactively

Though the situation is still unfolding, six key lessons have already emerged:

  1. Collaborate with Cybersecurity Teams & Identify Affected Third Parties: Engage procurement and cybersecurity teams to collaborate on guidance and developing vendor communications to determine which vendors use MOVEit. Unlike calls or surveys, automated platforms could identify likely affected vendors immediately and across sub-tier/extended supplier networks. Contact these critical vendors immediately and agree on mitigation strategies. If the enterprise maintains a legacy or manual systems, the only option may be issuing a manual questionnaire to vendors – which may take weeks to gather and analyze for vulnerability mitigation. If customer data has been exposed, take steps to notify them and review your vendor contracts for data breach notification requirements.
  2. Segment Critical Third Parties: Identify and group third parties and supply chain partners based on their criticality to continued operations – and their level of instability.
  3. Drill Deeper: Once critical third parties & supply chain partners have been identified, organizations need to drill deeper into risk sub-factors to understand their true vulnerability posture. When assessing vendors, it’s essential to consider everything from liquidity to cybersecurity breach history. Undertake exercises like threat modelling to further understand which vulnerabilities may pose the most risk to operations.
  4. Take Action: Develop an action plan to address findings. Long-term and short-term risks may require different remediation measures, such as focusing InfoSec teams on addressing specific CVEs.
  5. Perform Cybersecurity Due Diligence/Continuous Monitoring: In addition to immediate triage, it’s important to assess suppliers who furnish similar software to evaluate their cybersecurity practices as copy-cat attacks are a strong possibility. Again, automated risk assessment/monitoring applications will help here – provided they have insight across your supply chain.
  6. Stay Updated with Official Information: Monitor official information from Progress Software and other sources for updates.

Emphasizing Resilience by DesignTM

In a world of escalating supply chain cyber-attacks, the MOVEit breaches have highlighted the dangers of digital concentration risk and the need for robust third-party risk management practices. This incident is only the latest to emphasize the importance of proactively and continuously assessing enterprise supply chain cybersecurity backed by a robust incident response plan.

More broadly, the attacks stress the need for organizations to take control of risk for competitive advantage by ensuring resilient design in supply chain cybersecurity strategies. Per Interos’ latest annual survey of procurement leaders, cyber-attacks were the second-greatest concern for supply chain leaders, after supply shortages – costing large companies $43M a year, on average. Additional survey risk insights can be downloaded here.

By embracing Resilience by DesignTM, organizations can overcome risks, simplify their business, and deliver results. It’s not about avoiding the inevitable but about planning and reducing the impact and the time and resources required to restore normal operational performance.

Cyber-attacks and ransomware are inevitable – every organization will be impacted by one at some point – but with continuous multi-tier monitoring, and comprehensive recovery planning, we can minimize the damage and maximize profitability.

 

More ‘Critical’ Firms Face Tougher Cyber Laws

By Geraint John

Companies in critical industries on both sides of the Atlantic face more stringent cybersecurity regulations as governments seek to boost national security and operational resilience.

New laws passed in the U.S. and Europe call for rapid reporting of significant cyber attacks and ransom payments, improved cyber risk management practices, a greater focus on supply chain partners such as IT and cloud services providers, and stronger collaboration between the public and private sectors.

Crucially, the legislation also extends the range of firms covered from those operating core infrastructure. That includes everything from water and transport to services such as banking, telecommunications, and healthcare, along with manufacturers of food, chemicals, pharmaceuticals, medical devices, and other “essential” products.

White House and SEC Work to Improve U.S. Critical Infrastructure Cybersecurity

In the U.S., the Biden Administration published its National Cybersecurity Strategy at the beginning of March. The first of its five pillars is titled “Defend Critical Infrastructure.” The strategy is aimed at both federal agencies and private-sector companies.

The strategy document argues that “the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.”

As well as targeting critical infrastructure providers, it also pledges to “drive better cybersecurity practices in the cloud computing industry and for other essential third-party services” that these organizations depend on.

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, which requires companies to report certain types of cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransom payments within 24 hours.

CISA is currently working on implementing the reporting requirements, which must take effect by September 2025 at the latest.

Separately, the Securities and Exchange Commission (SEC) is expected to finalize its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules in April. These will require public companies to report “material” incidents within four business days. They must also provide updates on previous cyber attacks.

European Union Upgrades its Main Cybersecurity Directive

In Europe, the new Network and Information Security (NIS2) directive came into force on January 16th. It replaces the first-iteration NIS law, which has been operating since 2018. NIS2 is designed to strengthen security requirements, reporting obligations, and supply chain cybersecurity.

NIS2 also provides for stricter enforcement, with administrative fines of up to €10 million or 2% of global revenue for non-compliance.

Like the U.S. legislation, NIS2 expands its scope to a broader range of “critical sectors and services,” including information and communications technology (ICT) providers.

The new directive joins a raft of other new European Union laws, including the Digital Operational Resilience Act (DORA) for financial services and the Critical Entities Resilience (CER) Directive, which addresses physical security and terrorism, as well as cybersecurity.

E.U. member states have until October 17th 2024 to transpose NIS2’s measures into national law.

A European Parliament briefing document on NIS2 argues that companies need to invest more in cybersecurity. It cites study data suggesting that E.U. organizations spend on average 41% less on cybersecurity than their U.S. counterparts.

Interos Analysis: Cyber Risk Status in Energy and Healthcare Firms

To assess the impact of this spending gap, and to identify where cybersecurity practices are most in need of improvement, Interos conducted an analysis of cyber risk scores for the top 10 U.S. and European (E.U. plus U.K.) electric utilities, energy, and healthcare (pharmaceutical manufacturing) companies using our newly enhanced cyber risk model.

This analysis found that:

  • Overall company cyber risk scores – calculated from 20 subfactors and 91 attributes at both a firm and country level – vary widely. They go from a low of 59/100 — in the case of a European oil company — to a high of 82/100 for a European renewable electricity generator. The median score of 66 equates to only a “medium” level of cybersecurity protection.
  • At the firm level, U.S. and European companies are on a par, with both having a median score of 62/100. U.S. electric utility and energy companies score four points higher on average than their European counterparts, while in healthcare (pharma) the reverse is true. Again, all scores indicate medium levels of risk, which suggests plenty of room for improvement in cybersecurity practices.
  • The weakest areas of firm-level cybersecurity are in software-as-a-service bill of materials (SaaSBOM) vulnerabilities (average score 35/100), advanced persistent threat (APT) group activities (43/100), and compliance with public cybersecurity standards and frameworks (47/100) – a key element in the new legislation. There is also a big variation of scores between companies in web application security, web encryption, network filtering, e-mail security, and software patching.
  • At the country level, European firms score two points higher on average than those in the U.S. (82/100 against 80/100, indicating low cyber risk). The U.S. is rated significantly higher for its digital infrastructure (92 vs 65), and somewhat higher for cyber governance, resilience, and international collaboration. European countries score 20 points better on average on the risk of data access and manipulation in their business environment and as a geographic target for cyber attacks.

Transparency and Collaboration Vital to Manage Critical Infrastructure Cybersecurity

Cyber risk scores for critical infrastructure firms and their key suppliers, together with the new American and European legislation, are set to bring a new level of openness to cybersecurity.

Last week, during a webinar hosted by Interos, data partners BitSight and Equifax welcomed this development.

Commenting on the new SEC rules, Derek Vadala, chief risk officer of BitSight and a former chief information security officer at Moody’s, said the rules would bring much-needed transparency and culture change to the industry.

While it will take time for companies to understand what the new rules require, those companies that are more open about how they manage cyber risks today – for example, by publishing annual reports – are in a better position than those that do the bare minimum, Vadala argued.

The credit reference agency Equifax is also following this approach. It has published a cyber strategy and roadmap report for the past three years. According to Zach Tisher, its vice president of security risk, strategy and communications, “Security should not be a trade secret.”

As well as more open disclosure, Tisher argued that:

  • Employers need to bake cybersecurity into employees’ compensation plans to incentivize and reward good behavior.
  • Training must move away from the one-hour annual compliance session and be tailored better to staff needs.
  • Point-in-time questionnaires sent to suppliers and third parties aren’t sufficient; instead, real-time monitoring of cybersecurity controls is necessary.
  • Better collaboration with partners and vendors is vital to manage growing supply chain threats and requirements.

Third-party risk management has been the biggest trend in cybersecurity during the past couple of years, Tisher noted. “Supply chain is a top threat vector and it’s increasing all the time.”

This means that companies need to focus their cyber risk management efforts as far upstream as their sixth parties (tier-4 suppliers), he added.

Modeling Supply Chain Cyber Risk in a Disrupted World

By Andrea Little Limbago

On March 2, the Biden Administration announced a new National Cybersecurity Strategy. The need for a strategic change should not come as a surprise — Interos’ 2022 Resilience survey of 1,500 procurement and cybersecurity leaders revealed supply chain disruptions from cyber incidents alone cost enterprises $37M annually. Estimates of the global annual cost of cybercrime exceed ten trillion dollars.

Interos is closely monitoring the rising costs of cyber disruption and the continuously changing state of play, among other factors. We’ve refined and updated our cyber risk factor, one of the six factors within the Interos i-ScoreTM, in light of these and other trends shaping cybersecurity. The enhancements include a new cyber behavior model to detect potentially harmful cyber activity regardless of public disclosure, along with combining commercial cyber ratings, vulnerability information (CVEs), threat assessment (Mitre ATT&CK®), cyber events, regulatory compliance, and operating country regulations and risks into a single score.

You can read about those details in our press release. This blog will focus on those strategic factors driving these changes and the challenges in developing a solution that delivers cybersecurity insights to non-experts, all within the backdrop of the generational shift underway in the international system.

Trends Driving The Need for Change in Cyber Risk Modeling

To address the growth in scope and scale of cyberattacks (and their ripple effect across the supply chain) the Biden administration’s new National Cybersecurity Strategy is putting more responsibility on vendors and service providers. This is part of a larger trend prompting organizations to prioritize long-term collective investment in cyber resilience – and is reflective of Interos’ collective resilience approach to cyber.

Cyber leaders are also increasingly acknowledging the human element and assessing those risks through a socio-technical lens. This has led to both a focus on user interactions as well as the growth in new compliance frameworks and regulations. That’s why the enhanced Interos cyber risk factor accounts for compliance with CSF V1.1, NIST SP 800-53, PCI DSS V3.2.1, and other standards, as well as the global expansion of data privacy and cybersecurity regulations.

To that end, an organization’s geographic location plays a crucial role in both compliance and data risk levels. This variation stems from differing levels of data sovereignty which depend on the localized cyber and privacy environment. Risks surrounding the concentration of the physical infrastructure underpinning the internet also pose a significant challenge, as seen in the case of Russia’s cyberattack on ViaSat’s services in Ukraine or the disconnection of undersea cables which happened in Scotland and France.

The adoption of collective resilience (creating shared supply chain and operational strength) is accompanying our broader understanding of the range of cyber risks, which is why collaboration is prioritized in national and international cyber strategies. As Alejandro Mayorkas, the Secretary of Homeland Security, noted, “We have to drive the entire ecosystem to be more cyber vigilant.”

Developing Interos’ Enhanced Cyber Risk Model

Tackling Key Challenges in the Cybersecurity Landscape

Development of this new model address two core challenges:

  1. Aggregating Data into Intuitive Formats: The difficulty of integrating disparate data sets in a timely manner and presenting them in an intuitive, explorable format. We recognize that many cybersecurity tools are designed for information security professionals, making them inaccessible to others involved in risk management.
  2. Understanding Behavior: The importance of understanding both threat actors’ and defenders’ behaviors and integrating that knowledge to identify the most relevant risks.

Cyber has an interesting data problem in that there is a data deluge and a data desert at the same time – meaning there is so much data, but it’s not always the relevant data. The Interos model addresses the above challenges by focusing on integrating and presenting the range of these trends (over individual data points) to capture the core areas of vulnerabilities, threats, compliance, and adverse cyber events. Through this holistic approach we can provide a comprehensive view of cybersecurity risks across the entire supply chain ecosystem, from vendors and service providers to critical infrastructure and sensitive data.

We also utilized the extensive community work and expertise from federal organizations like NIST CVE and MITRE’s ATT&CK framework while accounting for both opportunistic and targeted threats by identifying industries/groups most susceptible to targeting, and vulnerabilities most likely to be exploited. Our approach also focused on quantifying data risks across locations by merging different data types to capture the diverse data sovereignty and global risk environments — a project we presented at Black Hat cybersecurity conference a few years ago.

Implications and Value: Uncovering Hidden Cyber Risks and Enabling Proactive Measures

The implications of this new model are vast. It highlights areas of risk that often are not brought together, allowing users to take action to decrease cyber risk. This may include reaching out to critical suppliers that may be at risk and coordinating a plan to elevate their defensive posture, or identifying those key parts of their supply chain located in areas where the data may be more at risk due to an adverse regulatory environment.

The Interos model surfaces a range of cyber risks, while contextualizing those risks within a broader supply chain risk framework. For instance, users can identify who might be at high cyber risk as well as high financial risk, since these suppliers may not have the resources to grow their defensive posture or could be extremely vulnerable to insolvency if attacked given the cost of breaches.

Personal Observations: Expanding Access to Cyber Risk and Addressing Global Challenges

Two particular aspects of this project are especially important to me, in terms of their ability to address broader systemic challenges across the industry that have significant implications for the future:

  • Addressing the cyber industry’s gatekeeper problem, which restricts risk assessment access to those with information security technical expertise. Interos’ updated model marks a significant stride towards broadening access to cyber risk assessment outside of an enterprise’s Security Operations Center.
  • Further integrating supply chain risk and cyber risk, particularly in the context of a re-globalized world economy, technological bifurcation, and the geopolitical fracturing of the internet. This integration is essential for fostering cyber vigilance and tackling the challenges presented by emerging technologies and global competition.

A modernized approach to cyber risk will be an essential tool for organizations exploring how to adapt to a changing global order whose shifts are being felt across supply chains, geopolitics, and technology development. Interos’ enhanced model for evaluating cybersecurity risk across supply chains signifies a significant step towards that goal.

By expanding access to meaningful cybersecurity information, through a multi-factor, supply chain-wide approach, we can enable organizations to proactively manage and mitigate risks on a far greater scale than ever before, bringing non-cyber experts into the decision room, and fostering resilience and success in this ever-evolving global landscape.

Satellite Supply Chain Concentration Risk: Starlink and the U.S. Dominate the Market

 By Geraint John

Satellites are becoming the new supply chain battleground in critical infrastructure as countries seek to bolster their military capabilities and national security against the threat of war.

However, this is not some James Bond-style plot in which rival powers vie for control of space-based nuclear weapons, as in the 1995 film GoldenEye, but something more prosaic: a quest for bomb-proof internet connectivity.

Ukraine’s success in stemming the Russian army’s advances across its territory have been credited, at least in part, to its access to Starlink, a constellation of more than 3,000 low-orbit satellites owned and operated by Elon Musk’s company, SpaceX.

Ukraine’s military relies on Starlink’s fast, reliable internet access to share battle plans, co-ordinate operations and target Russian positions.

In the words of a Ukrainian soldier quoted in a recent Economist article: “Starlink is our oxygen.” Without it, “our army would collapse into chaos”.

The Satellite Supply Chain: Low Orbit, High Potential

Other nations concerned about their vulnerability to attack and the security of their land- and seafloor-based fiber-optic cables for internet traffic, are keeping close tabs on Ukraine’s experience.

Taiwan, which has seen tensions with China escalate during the past year, is reported to be seeking private investment to establish its own satellite communications network.

China itself has submitted plans for a 13,000-satellite constellation, Russia has designs on a 264-satellite network, while the European Union agreed late last year to begin developing its own low-orbit system.

Japan, South Korea and Australia are among other countries looking to operate similar constellations of their own in the future.

Unlike traditional geostationary Earth orbit (GEO) communication satellites, which fly more than 35,000km above the planet’s surface, low-Earth orbit (LEO) satellites operate much closer to home.

Starlink’s satellites orbit just 550km from Earth, which means they can receive and transmit data much faster, making high-bandwidth internet streaming and video services possible.

Other benefits include the fact that:

  • They communicate with users on the ground via portable and easily powered receiving equipment
  • Their (stronger) signals are harder to jam
  • Russian efforts to hack them have so far been ineffective
  • Because there are hundreds of satellites serving each location, physically taking the network down – through, say, a missile attack – would require enormous scale and vast expense.

 

America’s World Domination May Lead to Imbalanced Supply Chains

The United States dominates global satellite ownership, with 63% of the almost 5,500 commercial, military, civil and government satellites launched to date, according to data compiled by the Union of Concerned Scientists (UCS), a U.S.-based nonprofit organization.

Its dominance in LEO satellites – which comprise 86% of the total satellite population – is even more pronounced, thanks to Starlink.

The U.S. owns almost 50 times as many LEO communication satellites as Russia, and almost 90 times more than China, according to UCS.

Building on this data, Interos has created a satellite concentration and diversification metric. The metric demonstrates the resilience the U.S. has in this area, with extremely high satellite diversification, whereas Russia and China are both rated a high concentration risk.

This is good news for supply chains in the U.S., but those in less diversified areas may increasingly be more prone to internet disruptions or complete blackouts.

Taiwan has just one GEO communications satellite, through a joint venture with Singapore’s telecoms provider, while Ukraine doesn’t own any and relies on those of its allies.

Communications Satellites Owned by Selected Countries.

While Considering Future Satellite Trends, Beware Single Sources in Space

Aside from the potential for cyber interference in this newly critical and rapidly expanding infrastructure, from a supply chain perspective the main risk is arguably the extreme concentration of suppliers.

At present, Starlink is a de facto monopoly for customers outside of China and Russia, because of its dominance of launch capacity. Its Falcon 9 rockets took off more than 60 times last year and each is capable of carrying over 50 LEO satellites.

Rivals Blue Origin, owned by Jeff Bezos, the United Launch Alliance – a joint venture between Boeing and Lockheed Martin – and France’s Arianespace are all in the process of readying new rockets.

UK-based OneWeb – which partners with France’s Eutelsat and Airbus – is currently dependent on SpaceX after its access to Russian launch facilities was scuppered last year. And Virgin Orbit last month failed in its inaugural attempt to launch nine LEO satellites from British soil using a rocket mounted below a reconfigured 747.

Interos has implemented a new satellite concentration risk score, which evaluates the concentration of accessible communication satellites in a country. A country with more satellites or increased access receives a high score and has less risk of satellite disruptions. This score currently shows France as being very high risk – even higher than Russia and China – whereas the UK is medium risk. However, diversification should be an important objective for these and other countries over the next few years.

While industry analysts expect there to be four or five active competitors in this global market eventually, for now SpaceX can call the shots.

For example, although it abandoned a suggestion in October that it would start charging Ukraine for its services, it has restricted use of its network in Russian-occupied territory such as Crimea, according to The Economist.

Government, military and commercial procurement chiefs would therefore be wise not to put all of their bets in this new space race on Mr. Musk’s satellite network, which may well become the next frontier in supply chain concentration risk.