We live in an increasingly connected world. Globalization, the gradual shift towards a borderless economy, is ever-increasing and seemingly inevitable. This broadening scope and increased openness brings plenty of opportunity and of course, plenty of risk. Businesses and entities that previously had to worry about dealing with a handful of local suppliers must now contend with, and manage, scores of internationally located suppliers, who in turn are dependent on disparate and diverse suppliers, and so on down the line.
Awareness of this interconnectivity pays dividends, just as ignorance surely has a price. Sophisticated bad actors won’t just target your organization directly, they’ll attempt take-downs and incursions across your entire supply chain. 80% of all security breaches originate in the supply chain. With 45% of all cyber breaches being attributable to past partners. According to William Evanina with the National Counterintelligence Center (in testimony to the Senate Intelligence Committee on Intelligence in 2018) “A growing set of threat actors are now capable of using cyber operations to remotely access traditional Intelligence targets, as well as a broader set of US targets including critical infrastructure supply chains.”
But where is this threat originating from?
Cyber supply chain threats come from many directions. But it’s helpful to break them down into four primary categories.
- International Organized Crime – The perpetrators of infamous hacks like WannaCry, NotPetya, and similar attacks. International hacking groups are one of the greatest and most consistent threats facing businesses today. Whether they’re holding systems for ransom, stealing credit card info, or conducting a thousand other nefarious schemes, they’ll target almost any and every institution with a vulnerability.
- Nation States – State based hacking groups form another pillar of the cyber threat gazebo. Nation states are turning to hacking with increasing frequency, using supply chain cyber attacks to steal national secrets, disrupt economic activity, influence elections, and more.
- Hacktivists – A broad term applied to those conducting hacking activities not motivated by profit or aligned with the interests of a specific nation-state. This category could include jihadist groups as well as Anonymous.
What nations are the most active hackers and why?
From a western perspective, the biggest threats are doubtlessly China, Russia, North Korea, and Iran. They’re easily some of the most cyber-aggressive nations out there and are traditionally opposed to western interests. These nations devote considerable effort into hacking because it’s simply more bang for their buck. Cyber-enabled supply chain attacks can now result in vastly disproportionate economic harm compared to the minimal resources required to execute the attack, thanks in part to the exponentially growing global digital supply chain. This is called Cyber-Enabled Economic Warfare.
Cyber-Enabled Economic Warfare (CEEW) is best-defined as “A hostile strategy involving attack(s) against a nation using cyber technology with the intent to weaken its economy and thereby reduce its political and military power.” To be considered CEEW, an attack must fit the following criteria:
- Cyber Enabled
- Intended to cause economic harm
- Damage must be enough to degrade a nation’s security capabilities
- Motivated by strategic intent
A threat is considered to be “motivated by strategic intent” if it is done both at the behest of a sate entity and is in alignment with that nation’s strategic goals. Some common cybersecurity supply chain threats include:
- Computer hardware delivered with malware installed
- Malware that is inserted into software or hardware post-delivery
- Software vulnerabilities in supply chain software applications
- Counterfeit computer hardware
- Loss of intellectual property shared with supply chain partners
- 3rd party access to IT networks, customer information or operational control systems
- Poor information security practices by lower-tier suppliers
- Rogue, malicious, or naïve inside employees
To get an idea of the damage a single supply-chain cyber-attack can cause, one need look no further back than 2017, to the days of NotPetya. NotPetya is, confusingly, the name of a specific variant of malware in the “Petya” family of ransomware. The software targets windows-based systems, infecting the master boot record, sending a payload that encrypts a hard drive’s file system table and stops windows from booting. In 2017 this variant was used to initiate a global cyber attack that primarily targeted the Ukraine. The attack quickly rippled throughout the global supply chain, shutting down businesses around the globe. The following list illustrates the cost of NotPetya:
- Pharmaceutical company Merck – $870,000,000
- Delivery company FedEx (European subsidiary TNT Express) – $400,000,000
- French construction company Saint-Gobain – $384,000,000
- Danish shipping company Maersk – $300,000,000
- Snack company Mondelēz (parent of Nabisco and Cadbury) – $188,000,000
- British manufacturer Reckitt Benckiser – $129,000,000
The attack left global shipping magnate Maersk, who represent 20% of the world’s shipping capacity, dead in the water, unable to read ship’s inventory files or accept orders. Making them unable to move freight or conduct even basic commerce. While the company has publicly stated that the attack cost them $300 million, that estimate is believed to be even lower than actual numbers. Moreover, those don’t reflect the costs borne by the many suppliers and logistics companies dependent on Maersk. The unreimbursed costs for affected trucking companies alone were estimated to be in the tens of millions
Wired’s report on the incident effectively characterizes the attack and what it illustrated about the interconnectedness of the global economy, stating that NotPetya was “…the story of a nation-state’s weapon of war released in a medium where national borders have no meaning, and where collateral damage travels via a cruel and unexpected logic: Where an attack aimed at Ukraine strikes Maersk, and an attack on Maersk strikes everywhere at once.”
So how can you proactively defend your supply chain? It all starts with knowing your vendors. We recommend taking the following steps to start securing your supply chain. Remember, there’s a 0% chance your supply chain hasn’t been compromised. You need to know where, when, and what your level of risk exposure is. That means you should:
- Map your supply chain and identify your most important vendors
- Identify your sub-tier suppliers with critical IT components or software embedded in your products and systems
- Know, WITHOUT A DOUBT, what information or IT systems your vendors can access
- Review vendor personnel practices
- Ensure the CISO’s team is integrated into the procurement process, vendor assessments and vendor management
- Conduct regular briefings on the threat environment and track the reporting and remediation of vulnerabilities