We live in a complex world. In the technology space, nowhere is this truer than in our supply chains. There are few companies today that don’t rely on products, services, and software provided by third parties. Many organizations have dozens of external contractors and suppliers.
This can create severe problems when it comes to cybersecurity. As the recent Russian-led Solar Winds attack clearly demonstrated, your suppliers’ cybersecurity strength is intimately connected with your own. A successful breach of their system can be the springboard to an attack on your own.
In this article, we’ll look at what the recent hack can teach us about supply chain cybersecurity, delve into the state of supply chain security more broadly, and then share some practical tips on protecting yourself.
Let’s start here. News that SolarWinds had been hacked first surfaced in December 2020. The severity of the attack became apparent almost immediately since SolarWinds, as a major supplier of software to the US military, had procured dozens of contracts with many federal agencies. This meant that the hackers – who were "likely Russian in origin,” according to a joint statement put out by four federal agencies – were able to gain access to data being held by, or on behalf of, a large number of companies.
Contrary to initial reports, it now appears that the hack affected up to 250 companies and took advantage of many different layers of the infrastructure provided by SolarWinds.
Bitsight estimates the attack could cost cyber insurance companies up to $90 million – an impressive figure but still much lower than one would expect, given the scale of the attack. One explanation is that government agencies don’t buy cyber insurance and will not be directly compensated for the attack.
All in all, this attack constituted one of the biggest data breaches in the last five years. There were some especially troubling features, however, that led many in the industry to reconsider how to protect IoT and supply chains from emerging threats.
Anatomy of a Supply Chain Hack
The problem of supply chain hacks is easy to understand and extremely difficult to solve. Our economy, which is more complex than ever – especially when it comes to tech tools and services – is partly to blame. Even small companies now rely on software tools provided by dozens of suppliers. Few firms – and not even the federal government, it seems – are able to perform enough audits to ensure that all of their suppliers are hardened against attacks.
Mandating such a level of trust is difficult without destroying the very dynamism that has made the tech sector so successful. Some have proposed a technical solution: a system of certificates, guarantees, and encryption similar to that used to protect consumer-focused websites. However, it’s difficult to imagine widespread support of such an idea in a tech industry that still looks to “move fast and break things'' rather than be tied to restrictive and potentially expensive additional regulations.
Besides basing purchasing decisions on reputation alone, there seems to be few options for those who rely on third-party software – that is, most companies and even most smart cities. This is far from a perfect solution. As the SolarWinds and FireEye attacks (and others before them) have proven: no one is completely safe from attack.
Mitigating Supply Chain Risk
Supply chain attacks can be difficult for companies to prevent because of the complexity of the average supply chain. Considering this, the range of action of the typical company is restricted to limiting the potential damage of such an attack while simultaneously limiting legal liability for it.
For most companies, this means relying on the compliance frameworks that are (or should be) already an essential part of doing business. Some of these compliance frameworks, such as the PCI standard, explicitly provide for third-party risk assessment and provide some assurance that companies “further up” the supply chain have also had to undergo compliance verification before being able to market software tools.
There are also a number of frameworks which, while not legally required, can be helpful for companies looking to limit their exposure to supply chain risk. The Capability Maturity Model (CMM, ISO 9001), often called “Common Criteria,” is the standard used by government surveillance agencies to vet their own suppliers. Currently this is the most rigorous set of standards to limit exposure to third-party risks.
Finally, and more pragmatically, companies should take steps to limit their liability in the event of a supply chain hack, and to avoid the potential bankruptcy that they can result in. This means signing contracts with third-party suppliers that hold them accountable for attacks on their own systems.
It also means being very careful about how and where you utilize open-source software, where no such liability can be agreed upon. According to Sonatype's 2020 State of the Software Supply Chain Report, supply chain attacks targeting open-source software projects are a major issue for enterprises, since 90% of all applications contain open-source code and 11% of those have known vulnerabilities.
The Bottom Line
Unfortunately, it’s difficult to imagine the threat of supply chain attacks will disappear anytime soon – if only because third-party software suppliers are such a central part of the contemporary economy. Because of this, and despite some analysts claiming that AI management of these networks would be more secure than human oversight, we’re going to have to get used to attacks like that which affected SolarWinds.
Thankfully, with the right liability structures in place, you can at least protect yourself from the resulting monetary and legal fall-out.
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.