Cyber security, rightly, has been elevated to a board-level concern in recent years. As businesses and services across all sectors move increasingly online, cyber security is no longer the preserve of IT departments. At the same time, the ability to keep data safe has become an important metric by which to judge any organisation that wants to operate in the modern world. Beyond the considerable operational cost that a cyber security breach may inflict, the potential for reputational damage from failing to prevent one, or at least, handling it effectively, can be costly or even catastrophic.
Against the backdrop of the coronavirus pandemic, national lockdowns, and a seismic shift toward remote working, it is vital that organisations take their cyber security seriously. Protecting your own enterprise seems obvious, but many companies lack the visibility and processes to protect one of the weakest links – their supply chains. If hackers can exploit a vulnerability within an organisation’s supply chain, they are effectively able to access that organisation through a “back door”. There are many examples of supply chain attacks, including network or computer hardware being compromised before it is installed or malware inserted into software at the development stage.
In 2020, the US technology firm SolarWinds fell victim to a sophisticated supply chain attack, with hackers inserting malicious code into its software development environment. The software, Orion, is widely used by companies across different sectors to manage their IT resources, including 425 of the Fortune 500 and both British and US government departments.The attack, widely attributed to nation-state hackers, was delivered through a routine software update, which customers unwittingly installed, giving attackers direct access to the heart of their networks. Once inside, attackers were able to move around the network unhindered, strengthening their foothold and stealing highly sensitive data.
It is hard to deny the level of skill and audacity required to execute such an attack. The incident is a stark reminder of both the sophistication of hostile actors, as well as the degree of vulnerability that exists in today’s complex digital supply chain. But in the face of such sophistication, what steps can be taken to better mitigate the risk, and who has the responsibility for managing those steps?
Supply chain attacks seek to exploit situations of inherent trust. The SolarWinds incident was difficult to detect because the problem was well hidden, in a trusted software upgrade that companies simply accepted and deployed. Mitigating such attacks is challenging, but companies would do well to think about applying a zero-trust principle to their cyber security strategy. This includes incorporating role-based access controls, not just for users on their networks, but also for the applications and servers that they host. Segmenting or splitting company networks into smaller domains of trust will, at the very least, help to slow down any potential breaches.
A strong technology partner can inspire confidence, but, in the context of cyber security, there are no guarantees. Even high-profile technology brands aren’t without risk, and when it comes to auditing a supply chain, a vendor’s brand reputation should not serve as an excuse to be less rigorous. Companies need to ask questions –– ask questions at every opportunity, about every stage of every process, from the development life cycle to the manufacturing of a product, to the physical delivery of that product. Asking close questions to assess a vendor’s supply chain security is a sound strategy to increase trust.
The best security assessments have a clear understanding of what “good” looks like, and given the dynamic nature of cyber security, “good” is always a moving target. For their part, suppliers must recognise they have a significant role to play in managing supply chain risk. It is imperative that vendors take proactive steps to strengthen internal development processes and bake in controls to protect product and service integrity.
Technology vendors themselves often rely on an extensive set of external suppliers, and scrutiny must flow through all levels of the supply chain to build end-to-end integrity and trust. The dialogue between technology companies and policymakers also needs to evolve. Economic prosperity and national resilience have become reliant on digital technology and adversaries have clearly demonstrated their willingness to target the complex supply chains that underpin them. The Department for Digital, Culture, Media and Sport’s supply chain review, published in 2019, was a welcome move and has led to the Telecoms Security Bill, which will include new obligations on telecoms operators to scrutinise their supply chains.
But this should be viewed as a first step, not a panacea. The UK government should carefully consider further action to help manage the evolution of risk that comes with an increasingly digitised world. This doesn’t necessarily mean further regulation; however, should this be required, policymakers must strike the right balance between encouraging positive action and not creating barriers to market entry or stifling innovation.
Stronger advice and guidance from government, drawing on the work surrounding the Telecoms Security Bill, would serve other industry sectors well, especially those delivering critical services. Building a consistent set of supply chain security objectives and outcomes would benefit all parties by providing a common language through which to communicate expectations and understand risk.
Accountability and transparency are the keys to building trust in technology. Trust can no longer be implied and must instead be proven. It is pertinent to remind ourselves of the Russian proverb, ironically made famous by numerous US politicians: “Doveryai, no proveryai.” Trust, but verify.