Any organization that uses hardware and software, which means every corporation, today is facing an increasing risk to its cyber supply chain — and it is only going to get worse before it gets better. The SolarWinds attack in 2020 highlighted the cyber supply chain vulnerability as it was the first attack that had both a regional and global impact. Since then, bad actors have found success exploiting vulnerabilities in software (including third-party and open-source software) as well as hardware and firmware. According to one estimate, 45% of organizations worldwide will have experienced an attack on their software supply chain by 2025.
The global supply chain is susceptible to many different forms of disruption, from shipping delays to natural disasters. Currently, the greatest risk to the supply chain is its use as a cyberattack vector to infiltrate a network infrastructure of an organization and its customers. The attackers’ primary goal is to steal information, such as customer data, intellectual property, personally identifiable information, business proprietary, or trade secrets, and/or commit acts of sabotage. In most cases, the attackers seek to achieve economic advancement, competitive advantage, sometimes militarily, from these cyber supply chain attacks.
Addressing cyber supply chain risk involves a level of complexity that goes beyond traditional risk management; it requires, for example, conducting criticality and vulnerability risk assessments and developing an asset management system of an organization’s information and communications technology. For frequently targeted organizations like technology, media and telecommunications (TMT) companies, it means creating a robust cyber supply chain risk management program (C-SCRM) that is owned by an executive senior risk officer focused on breaking down the silos and segmenting vulnerabilities across the enterprise. A well-designed program can help companies understand and minimize threats to critical infrastructure, counter economic exploitation, avoid regulatory enforcement actions, reduce reputational harm, and gain and retain customer trust.
Earlier in the year, to bring some order to the existing chaos of supply chain risk management, President Biden signed Executive Order 14017 and Executive Order 14028. EO 14028 created the Department of Homeland Security (DHS) Cyber Safety Review Board. The establishment of the EOs brought about increased regulatory scrutiny and required compliance, especially for organizations doing business with the federal government, due to the severe nature of these vulnerabilities and attacks.
Take, for example, the Log4j cyber supply chain attack that occurred in December 2021. The first public report issued in July 2022 by the DHS Cyber Safety Review Board highlighted the significant and ongoing safety impact Log4j had on federal agencies and the digital ecosystem. In one notable example, the report cites how a targeted federal cabinet department dedicated 33,000 hours to Log4j vulnerability response to protect the department’s own networks. “These costs, often sustained over many weeks and months, delayed other mission-critical work, including the response to other vulnerabilities,” the report states.
How government actions impact companies
Over the long term, the EOs are expected to enforce best practices in organizations, especially those doing business with the federal government. This includes prime contractors, subcontractors and third-party vendors. What’s more, compliance cannot be assumed or faked; the U.S. Department of Justice is launching investigations using the False Claims Act, with the intention of identifying companies that claim to be compliant but are not.
The federal government also intends to increase the heat on contractors that are feigning compliance, as evidenced by budget increases in 2023 through 2025 that will fund more auditors, with the goal of potentially auditing on-site any company that has contracts with the government.
What TMT companies can do now
Securing the cyber supply chain should be a strategic priority for all organizations as the cyber threat continues to increase at an expected rate of 400% over the next two years. Organizations must remain fluid as the United States and other governments are still developing and establishing regulations, policies and guidance related to cyber supply chain risk. In the meantime, companies can take the following actions now to protect themselves.
- Obtain executive level commitment: Studies have shown that without executive level commitment, a supply chain risk management program will most likely fail. It is critical to involve multiple stakeholders to define the supply chain risk management program; otherwise, potential problems can arise, and executive level support can wane if there is a lack of proper due diligence.
- Perform an internal assessment: Organizations should conduct an internal assessment to determine what activities are performed across the enterprise to secure their cyber supply chain components and capabilities. Many organizations are still siloed in their respective areas, such as legal, security and IT. Therefore, there is a lack of holistic understanding and information sharing about the enterprise’s cyber supply chain vulnerabilities and mitigation actions.
- Identify critical systems, networks and information: To enable a C-SCRM, stakeholders should have a clear understanding of what constitutes a supply chain. It is critical to identify the systems, networks, software and personnel that make up the elements of a supply chain. Once identified, organizations can build a “bill of materials” for software, hardware and other components needed to define the supply chain. This effort is necessary to identify risks before they materialize and to determine where and when remediation or mitigation actions should take place when attacks occur.
- Conduct third-party due diligence: Rigorous assessment is critical to increase visibility into how third-party suppliers and service providers manage risks. The data gathered will also provide a clear picture of vendors that are providing key components and capabilities to the enterprise. Mitigating third-party risk starts with requiring (via contract) that partners perform their own due diligence to protect the supply chain. Businesses need to verify that partners are adhering to security best practices and be ready to audit those practices. Although the burden of proof may lie with a third party, organizations cannot delegate the mitigation of risk.
- Create ownership of the program: It may be prudent to assign a single executive owner within the organization who is responsible for the cyber supply chain management program. That person should collaborate with a team, including representatives from across the organization, to break down organizational silos and fragmentation.
Bottom line: Securing an organization’s cyber supply chain is not an easy task, especially when those security practices are fragmented and driven by a mix of regulatory and legislative requirements, executive orders, and third-party interactions. Being prepared for coming changes and requirements starts with gaining an understanding of what compliance requires and mapping that to the services and products offered by the business.
Establishing a cyber supply chain security and compliance program will strengthen an organization’s understanding of the criticality of threats and vulnerabilities while providing a mitigation plan and actions to address them on a continuous basis.