6 July 2020

Viewpoint: Hackers Putting Global Supply Chain at Risk

By Steven D. Carter

“Cybersecurity really is a supply chain problem” that encompasses the telecom carriers that are used by businesses, the hardware and software that supports organizational workflow, and the cloud assets that so many organizations are leveraging today, Richard George, former National Security Agency technical director of information assurance and current senior advisor for cybersecurity at Johns Hopkins University Applied Physics Laboratory, recently said in a speech to cybersecurity professionals.

“It’s not just the government that’s a target, everybody’s a target,” he added.

Part of the problem is that “there is no risk aversion” for these bad actors. No one stands trial for their behavior while the Chinese deny their role in this activity and say, “not us, not us,” George said.

Kevin O’Marah, former manufacturing and supply chain contributor to Forbes, wrote, “Where once we worried about localized mistakes or oversights upstream, now we worry about cataclysm, potentially at the hands of actors bent on destruction. The new world of supply chain risk means preparation for widespread, systemic disruption in our immediate future.”


He continued: “As with war and natural disasters, cyber threats have the potential to kick off systemic failure, meaning a sort of domino effect whereby ordinary preparedness fails to overcome infrastructure, communication and human breakdowns.”

To defend against cyber criminal intent to disrupt and “own” the global supply chain, George observed that corporations must be on guard, be careful of untrustworthy entities within the supply chain, ensure transparency throughout the supply chain, force strategic partners to prove their cybersecurity posture, and limit entanglement with companies/countries that don’t respect intellectual property rights.

“People today are putting those holes in because they want easy access to the targets, and we are the targets,” said George. He noted that every aspect of the global supply chain must be put under the microscope of cybersecurity, including distribution, processes, people, reputation, manufacturing, research and development, transportation, logistics and facilities.

Leading cybersecurity researchers are in line with what George and O’Marah have said. In fact, Zac Rogers, assistant professor of supply chain management at Colorado State University, said, “Purchasing people tend to think of cybersecurity as an information systems problem.” But his research indicates that two-thirds of breaches are a result of a supplier or third-party vulnerabilities.

Soha Systems, now Akamai Technologies, reported a similar finding of 63 percent of breaches caused by third-party providers.

Mark Carrizosa, director of information security at Akamai, said, “The results of our survey highlight the disconnect between IT priorities and the urgent need to mitigate third-party data breaches. … The survey shows enterprises have vastly underestimated the resources required to deal with such breaches, even as their need to provide secure third-party access continues to grow.”

In light of breaches connected to the vulnerable third-party suppliers of Walmart, Equifax, Apple, Target, CVS, CNN and others, Derek Brink, vice president and research fellow at the business intelligence firm Aberdeen Group, said, “For business reasons, organizations are increasingly providing third parties with access to their IT infrastructure, but IT and security leaders really need to help their business leaders understand the risks of third-party access and take steps to help manage these risks to an acceptable level.”

One of the telecom companies under scrutiny recently in relation to posing a risk to the telecom side of the supply chain is Huawei, a Chinese company closely tied to the Communist Party and government of China. As a result, U.S. politicians and intelligence agencies are cautious about the intentions, actions and products produced by the company.

John Suffolk, Huawei’s global cybersecurity and privacy officer, inadvertently showed that the problem is not as simple as software and hardware being produced by the U.S. economic adversary, China.

Here are Suffolk’s own words: “Our [research-and-development] center for microwave is based in Milan, yet we take our compression algorithms from the world’s best scientists and mathematicians in Moscow. And then we apply that to Chinese technology and manufacturing.”

Unfortunately, all along the way, there is plenty of room for bad actors to get into the game of tweaking their aspect of the supply chain to access data that isn’t their own.
George in his address to the RSA conference in 2018, reminded the audience that nation-states are the primary malevolent actors attacking the global supply chain and that all countries spy. He went on to explain that permitting a foreign country to maintain infrastructure or supply components for U.S. systems allows them access to those systems.

When asked about the rapid expansion of supply chain attacks, George explained that once an attack is successful, copycats easily replicate it; and as larger entities fortify their supply chains, the criminal intent moves to the next easiest target — mid-size organizations and state/local governmental agencies.

In researching and speaking to these supply chain cybersecurity professionals, the question was, “What can be done about cybersecurity vulnerabilities in the supply chain?”

The answers most commonly given by these experts were that companies should design incident protocols, implement protected software update systems, narrow third-party access to systems, inspect and secure current infrastructure, insist on transparency with strategic partners, and lock in due diligence throughout the lifecycle of the organization’s IT components.

The good news for business leaders is that bad actors — even governments with billions of dollars at their disposal — are not all-powerful. George said their access to resources, their capability, their intent/motive, their risk aversion, and their access to the systems they want to compromise are all, as he describes, “limiting factors” to their harmful desires to create damage and cause chaos in the global marketplace.

Although Huawei is under global scrutiny, Suffolk said, “You cannot bolt quality onto a product, and nor can you bolt on cybersecurity. Cybersecurity must be built into everything that you do. … Many cybersecurity threats come from the very inside. So, if you do not know what the incentives are, the disincentives, the rules and regulations, many attacks can be perpetrated by insiders.”

In today’s global marketplace, the people and companies within an organization’s supply chain can easily be considered to be “insiders” with enough access to cause harm, he said.

The harm that can be done though supply chain cyber attacks, however, is not limited to damage to the economy. The Defense Department is also reliant upon global supply chains. The department comprises the nation’s warfighting abilities, moving more equipment, people and supplies globally than any other agency or organization. A state actor having access to this data through porous networks and cyber vulnerabilities presents a major problem.

Speaking to the 12,000 suppliers and 24 global distribution centers that make up his purview of the defense supply chain, Army Lt. Gen. Darrell Williams, director of the Defense Logistics Agency stated, “The technology that we are using to run that global network of warehouses that feeds into and supports all of our military services is quite old, 25 or 30 years old.”

However, there is good news. Progress in securing the defense supply chain is being made.

The Government Accountability Office recently removed the Defense Department supply chain from its own internal “high risk” list because of progress made within the department.

A GAO report stated that: “From 2014 to 2017, we identified 18 actions and outcomes DoD needed to implement in order for its supply chain management to be removed from our High-Risk List. In our 2017 High-Risk Report, we reported that DoD had made progress in addressing 11 actions and met the criteria of leadership commitment, capacity and action plan for asset visibility and materiel distribution.”

However, the department needed to take additional steps to fully implement the remaining seven actions and outcomes related to the monitoring and demonstrated progress criteria. “We are removing DoD Supply Chain Management from the High-Risk List because, since 2017, DoD has addressed the remaining two criteria (monitoring and demonstrated progress) for asset visibility and materiel distribution by addressing the seven actions and outcomes identified in our 2017 High-Risk Report,” the GAO said.

The takeaway from these professionals is that the security of global commercial and military supply chains is not something that can be bolted onto an organization and that of its suppliers.

Cybersecurity has to be baked into the entire process for end-to-end supply chain protection. 

Steven D. Carter is a Harvard senior executive fellow specializing in strategy, business and information technology, and an adjunct professor of business at the University of Maryland Global Campus-Europe.

No comments: