The supply chain is defined as “the entire process of making and selling commercial goods, including every stage from the supply of materials and the manufacture of the goods through to their distribution and sale.” In order for the system to function smoothly as a whole, every stage in the supply chain has to run seamlessly, without interruption or exploitation and it needs to be secure. But with so many points in the chain, how is it possible to secure the whole system? No one had an answer to that when cyberattacks recently compromised the digital supply chain. The attack came as a shock and a surprise, and trust chain was broken. Supply chain security became top of mind.
Two notable supply chain security attacks changed the threat landscape, bringing supply chain security into the media in 2018 and 2020. The hardware supply chain compromise of 2018 and the cybersecurity compromise of 2020 re-opened our eyes to a new kind of threat to a trusted, decades-old system. What we’ve learned from these two pivotal moments in history is that cyber adversaries are no longer just exploiting technology vulnerabilities, they are actually creating them and integrating them into our foundational technologies.
And just like with a physical chain, supply chain security is only as strong as its weakest link. With more sophisticated and emboldened cyber adversaries leaning heavily on those weak links, the entire supply chain has to become more resilient.
Media reported in 2018 that foreign hardware manufacturing plants had placed tiny malicious implants on computer motherboards and network devices that were then shipped worldwide. This came as a shock to anyone who hadn’t ever considered the infiltration of the cyber hardware supply chain. And for those organizations that were concerned about this, they were still trying to figure out the best way to approach ubiquitous supply chain security when the attackers struck. This incident got us thinking about it more earnestly than ever before.
Then in 2020, a massive digital supply chain security incident occurred. A foreign intelligence service operation infiltrated a major US company supply chain to insert software vulnerabilities into updates that would be deployed to customers—infiltrating a single point on the chain to exploit and damage numerous targets. This incident is notable on both psychological and practical levels: psychologically because no one had anticipated the sophisticated techniques and intentions of these cyber adversaries. The incident has since tarnished the trust in things that many of us had taken for granted. And practically, because for those who were affected, it has left a significant amount of clean-up work to do.
These events have forced organizations to rethink trusted processes like patching software using updates from a known vendor. And the first step in prevention is accepting the fact that the software supply chain security is at risk. As a result, our national supply chain posture has to fortify itself against increased attempts to undermine hardware manufacturing, operating systems, applications, updates, and more. Compromising such operations allows adversaries to subvert once (by creating a vulnerability in a single point of the supply chain) while compromising many (exploiting that vulnerability in many targeted systems).
In the wake of these and other incidents, organizations need to fortify and possibly even rethink their security postures with a new perspective combined with the right tools. Endpoint Detection and Response (EDR) is a highly effective tool to leverage the power of speed, automation, and visibility to identify and block suspected malicious behaviors. And similarly, User and Entity Behavior Analytics (UEBA) is a type of cybersecurity process that looks for the differences between normal and abnormal conduct to pinpoint evidence of an insider taking malicious actions. Both of these solutions should now be essential tools in the supply chain security kit.
Public and private organizations need to stop being surprised when attackers leverage new attack vectors. Instead, we need to embrace a proactive strategy that sees everything, including our supply chain, as a potential threat, and then adopt a security posture designed to stay ahead of the attackers. There is every indication that such out-of-the-box exploit strategies will become increasingly innovative and sophisticated. Cybersecurity is an on-going battle, and to win we need to rethink our approach to every aspect of our digital lives, including paying more security attention to our hardware and software supply chains.
Government leadership and policy can help. We need to push for international policy and behavior standards in cyberspace, with clear consequences around critical infrastructure attacks and commercial IP theft. This will help establish clear policy on malicious cyber activity, prevent cyber adversaries from using international borders to escape prosecution, and will spell out repercussions for attacks on critical assets.
At the same time, business leaders need to advance strategic national supply chain security policies by implementing strategies designed to ensure the integrity of the manufacturing of critical things like pharmaceuticals, microchips, automated assembly operations, the software life cycle, critical infrastructure, and the defense industrial base.
The 2020 cyber supply chain security incident just might go down in history as one of those seminal events that helped raise the awareness needed to finally secure every point along our cyber supply chains. With every stage and every endpoint in the supply chain under scrutiny using tools like EDR, UEBA, and others, we can confidently move forward with our digital innovation efforts without exploitation. But only if we stay ahead of our cyber adversaries.
This is a summary of an article written for Forbes by Phil Quade, CISO at Fortinet. The entire article can be accessed here.