Shore up supply chain security (now say that 5x fast)

Supply chain security was once a backburner issue, if an issue at all. But for the last 15 months, the security industry has had to face the music on supply chain risk—and it’s not going away soon.

From extended shipping delays to empty store shelves, we’ve collectively experienced firsthand what happens when the supply chain breaks down (panic, at best). As more and more industries digitize, having a strong cybersecurity posture becomes a pivotal link in that chain.

How to protect against supply chain security risk

Supply chains have been pelted over the last 15 months with an ongoing barrage of volatility. The COVID-19 pandemic dramatically shifted demand while pushing employees out of traditional offices and into their homes. Growing trade conflicts rendered supply chain hardware and software at risk of weaponization. And significant changes in industrial regulation heaped expensive penalties and restrictions on already-stressed businesses.

In other words, conditions were ripe for cybercriminals to wreak havoc. While consumers and organizations worried about disruptions to actual supplies, security teams around the world—including those at SolarWinds—missed the big red flag of data access risk by adversaries all-too-happy to compromise sub-tier suppliers to get to the big game. Meanwhile, for organizations dependent on suppliers (all of them), the hurricane of uncertain market forces and economic turmoil was strengthened by an increasing number of sophisticated cyberattacks.

That’s likely why cybercrime was at an all-time high in 2020, bolstered by confusion and fear brought on by the pandemic. This year, high-profile ransomware attacks on vital infrastructure, such as the Colonial Pipeline and JBS breaches, continue to underscore the need to confront supply chain security challenges with unique solutions. Only by combining the resources and brainpower of security professionals with other strategic thinkers across disciplines, in private and public sectors, can we properly address supply chain security.

Public sector: laws, law, and order

Luckily, that sort of collaboration has already begun. The public sector stepped up to the cyber plate, with action happening in the state legislature up to the executive branch. On the law enforcement side, crackdowns on malware families and ransomware gangs have ticked up in 2021, with Emotet finally defeated in a multi-country, multi-agency effort, and Clop ransomware taken down by investigators from Ukraine and South Korea.

While the US government has historically lagged on technology regulation, the pace has quickened recently with several new laws and an executive order introduced to improve cybersecurity infrastructure and data privacy, as well as bring together disparate groups for better security alignment—particularly for those devices and software used in supply chains.

On May 12, President Joe Biden signed an Executive Order (EO) with sweeping proposals to upgrade federal cybersecurity, including massive changes to its procurement processes, such as requiring that suppliers provide a Software Bill of Materials (SBoM) to help organizations manage risk and learn which vulnerabilities exist in the products they use.

In addition, the EO includes a set of criteria to evaluate the security practices of developers and suppliers, and it proposes a labeling system to identify vendors that have gone above and beyond the baseline, essentially codifying resilience as a competitive edge.

The IoT Cybersecurity Improvement Act, meanwhile, aims to tighten up standards for IoT devices owned or operated by the federal government. The bill directs the National Institute of Standards and Technology (NIST) to draft and publish IoT standards with a focus on secure development, identity management, patching, and configuration. After NIST publishes its guidelines, contractors and vendors must follow up by publishing coordinated vulnerabilities disclosure policies.

Then there are the many data privacy bills that have been introduced in the less than five years since the California Consumer Privacy Act (CCPA) blazed the way in the US. Data privacy and asset management are two areas of upmost importance for supply chain security, and they happen to be central to much of the recent regulatory action happening in Congress.

A major risk factor for sharing data across technology platforms with suppliers is the unknown degree to which that data is secure and private—especially at the sub-tier level.
Since the CCPA was introduced in 2018, 29 other states have proposed data privacy bills mostly centered on consumer rights.

A federal data privacy law introduced in March 2021 would, if passed, provide businesses with a consistent, comprehensive national data privacy infrastructure. In preparation for these data privacy laws, organizations should begin a dialogue with their data teams to assess risk and ensure compliance.

Public sector: regulations and sanctions

If one of the greatest risks on the digital supply chain is unfettered data access, what happens when you share data with international entities known to use information technology to surveil, repress, and manipulate foreign and domestic groups? Over the last two years, the US government has sought to come down on suppliers from countries with authoritarian digital policies.

Recent regulations and sanctions by the Departments of Defense, Treasury, and Commerce on industrial suppliers (primarily in China) therefore help to reduce digital supply chain risk, as well as physical. According to Andrea Little Limbago, PhD, Vice President of Research and Analysis at Intero in her RSA presentation “Supply Chain Resilience in a Time of Techtonic Geopolitical Change,” the US is increasingly employing industrial policy as a tool of economic statescraft.

In 2019, the Department of Defense levied prohibitions on five Chinese companies and their affiliates. That same year, the Department of Treasury doled out financial penalties exceeding $1 billion.

Between 2019–2020, the Department of Commerce added over 350 Chinese-based companies to a list of those not allowed in the supply chain for such violations as possible connection to weapons of mass destruction and human rights concerns. In 2021, expect more to be added from other countries, such as Russia and Saudi Arabia.

Between all the new laws regulating procurement process, data privacy, access management, and even secure development, organizations will have their hands full with domestic compliance alone. Add to that keeping an eye on economic sanctions levied against international suppliers, and it’s looking to be another insane year for enterprise cybersecurity.

However, it’s important to keep in mind that the standards put forth by these bills and regulations often represent a minimum security requirement for organizations. Lowest common denominator won’t cut it against the combined forces weaking organizations’ supply chain security. That’s why IT and security professionals must apply due diligence to protect against supply chain risks. A few recommended steps:

  • Ensure that your partners and suppliers are also secure by auditing existing suppliers for risk and evaluating new suppliers’ security during the acquisition process.
  • Prioritize asset management by tracking all data stored, segmenting networks, and restricting access to the most sensitive data.
  • Catalogue the software products used at your organization and document their components (and vulnerabilities) in SBoMs.
  • Share SBoMs or other attestations using a standardized set of repositories and channels called a Digital Bill of Materials (DBoM).
  • Conduct scenario planning with tabletop war games or an internal think tank. Don’t forget to test both digital and physical worst-case scenarios.

For more information on supply chain security, read this article from CPO Magazine:

To learn how the US government plans to crack down on ransomware attacks on the supply chain and other vital infrastructure, check out this article on Malwarebytes Labs:

A TLDR version of President Biden’s Executive Order on Improving the Nation’s Cybersecurity: