NotPetya, WannaCry, ShadowPad, and Sunburst may or may not be household names, but these malware, and many more, have unleashed significant harm on the world.
One such instance of malware was used to attack an IT services company in Dublin, supplies security software to scores of large cybersecurity contractors. Working through the company, hackers infected hundreds of its clients worldwide with ransomware, and demanded USD 50,000–5 million from each business in exchange for the decryption key.
Earlier this year, another attack hit an American IT software company, and subsequently infiltrated nine U.S. federal agencies, including the Office of the President, and the Treasury and Commerce Departments.
These attacks targeted software vendors or IT companies to gain backdoor access to their clients’ systems, infecting hundreds and thousands of systems in one go.
This is perhaps how “supply chain” got its name – each part of the process stream is inevitably linked to another.
ICT supply chain cyberattacks rise – the European Union for Cybersecurity estimates a four-fold growth in attacks in 2021 versus 2020. The risk is compounded as vulnerabilities can be introduced at any phase of ICT life cycle.
The impact of these breaches is also set to grow, with increasing interconnection of IT systems across organizations, sectors and countries. In 2019 survey by Gartner, 60% of organizations reported working with more than 1000 third parties.
Upon successful infiltration, cybercriminals enjoy free rein to conduct cyber espionage, steal data and intellectual property, or extort money through ransomware attacks. From 2019 to 2020, the number of Kaspersky users encountering targeted ransomware – malware used to extort money from high-profile targets such as corporations, government agencies, and municipal organizations – increased by 767%.
The wider public is not spared. An attack on a grocery chain could force the temporary closure of supermarkets, or a virus may be unleashed on millions of PC users through a software update. Taking it further, the compromise of systems providing healthcare or public utilities may disrupt the provision of these essential services.
Since 2020, national cybersecurity strategies were either released or updated across Asia-Pacific, including in Singapore, Malaysia, Australia and Japan. Vietnam, India and Indonesia, are soon expected to release their own national strategies too.
But when it comes to ICT supply chain resilience, the solution is more complex in view of the multitude and range of stakeholders involved. Some governments have intervened:
- In 2018, the U.S. Department of Homeland Security established the ICT Supply Chain Risk Management Task Force, a public-private partnership to develop consensus on risk management strategies to enhance global ICT supply chain security.
- The Australian Cyber Security Centre published guides this year for businesses to identify cybersecurity risks associated with supply chains, and to manage these risks.
- The Cybersecurity Agency of Singapore announced that it will shortly launch a CII Supply Chain Programme for stakeholders to adhere to international best practices and standards for supply chain risk management.
The Way Ahead
Globally, countries and International Organizations (e.g., INTERPOL, the UN, ASEAN, Europol) have taken steps to tighten cooperation and share best practices:
- Multilateral platforms – The United Nations Group of Governmental Experts and Open-ended Working Group are platforms used by countries to develop consensus around cyber processes and norms. Conferences such as the UN Internet Governance Forum provide further opportunities to discuss: in 2020, Kaspersky together with our partners organized a workshop to discuss the need and ways to develop assurance and transparency in global ICT supply chains.
- Bilateral partnerships – Countries around the region, Vietnam, India, Japan, Singapore, China and South Korea, have committed to MOUs on various aspects of cybersecurity.
It is also imperative to have more targeted conversations on global ICT supply chain resilience, given the wide-ranging types of actors and impact involved globally.
Nationally, governments must continue to drive nationwide efforts to establish a baseline level of cybersecurity across sectors through laws, regulations, guidelines, training requirements and awareness building.
Given the integrated nature of ICT supply chain resilience, there is a need to develop core principles (e.g., security-by-design), technical standards and legislative/regulatory frameworks to ensure a consistent level of cybersecurity and accountability across stakeholders. Self-assessment tools can also be published in addition to facilitate implementation.
Individually, everyone is responsible for ensuring our collective cybersecurity. Businesses that develop products and maintain systems must lead the way.
At Kaspersky, we believe that transparency in the components within and connections across software supply chains is the best way to ensure the integrity and trustworthiness of our digital infrastructure. Our commitment to this principle is evidenced by our Global Transparency Initiative, we:
- Welcome third parties to review our source code. Recently, we made it easier for our partners and public to understand what is inside our products by providing a software bill of materials – a list of all the components, information about them, and the relationships between them.
- Practise responsible vulnerability disclosure, and have on many occasions, alerted IT companies regarding vulnerabilities in their systems, averting several potentially significant cyberattacks.
Cybersecurity is everyone’s business because our collective cybersecurity is only as strong as that of the weakest link among us. To remain ahead of the game, a holistic approach involving all stakeholders is required. It is imperative to take a long term approach in designing the cybersecurity ecosystem, which includes building a strong talent pipeline to meet the needs of CERTs, forensic analysis teams and IT departments, and designing CII that is secure-by-design.
The ideas above are by no means an exhaustive list, but hopefully they provide an idea of where to begin – together – in view of the long way that lies ahead of us.