Strengthening ICT supply chain resilience is everyone’s business

Supply chain resilience is crucial for organizations to be prepared for and withstand any form of unexpected event. This not only includes disruption to the supply chain from cyberattacks but also other factors such as national disasters and the like.

Having sturdy supply chain resilience enables organizations to quickly respond and recover from any incidents. This not only avoids disruptions but also keeps customers satisfied, and improves the overall performance of the company.

Throughout 2021, supply chain resilience has been critical as disruptions across industries made headlines throughout the year. Interestingly, when it comes to the ICT supply chain, it’s a similar situation when it comes to resilience but can be a rather more complicated process.

The Cybersecurity and Infrastructure Security Agency (CISA) describes the ICT supply chain as a complex, global interconnected system that encompasses the entire life cycle of ICT hardware, software, and managed services and a wide range of entities. And this includes third-party vendors, suppliers, service providers, and contractors.

But the reality is, ICT supply chain cyberattacks are on the rise globally. The European Union for Cybersecurity estimates a fourfold growth in attacks in 2021 compared to 2020. The risk is compounded as vulnerabilities can be introduced at any phase of the ICT life cycle, from design through development, production, distribution, acquisition, and deployment to maintenance.

The impact of these breaches is also set to grow, given the increasing interconnection of IT systems across organizations, sectors, and countries. In a 2019 survey by Gartner, 60% of organizations reported working with more than 1000 third parties.

ICT supply chain attacks are increasing

For Genie Sugene Gan, Kaspersky Head of Government Affairs, Asia-Pacific, what these attacks have in common is their modus operandi. Hackers targeted software vendors or IT companies to gain backdoor access to their clients’ systems, infecting hundreds and thousands of systems in one go.

Gan believes that this is perhaps how the “supply chain” got its name, whereby each part of the process stream is inevitably linked to another. When one part gets affected, a domino effect soon follows.

For example, recently, malware was used to attack an IT services company based in Dublin, which supplies security software to scores of large cybersecurity contractors. Working through the company, hackers infected hundreds of its clients worldwide with ransomware and demanded between US$ 50,000 to 5 million from each business in exchange for the decryption key.

Another example was earlier this year when a cyberattack hit an American IT software company, and subsequently infiltrated nine U.S. federal agencies, including the Office of the President and the Treasury and Commerce Departments.

“While the impact on governments and enterprises may feature more prominently, the wider public is not spared. An attack on a grocery chain could force the temporary closure of scores of supermarkets, or a virus may be unleashed on millions of PC users through a software update,” Gan pointed out. “Taking it further, the compromise of systems providing healthcare or public utilities may disrupt the provision of these essential services. And these are the very day-to-day things that affect individuals like you and me.”

Supply chain resilience for all

Gan highlighted that when it comes to ICT supply chain resilience, the solution needs to be more intricate in view of the multitude (and range) of stakeholders involved. Some governments have intervened, with a focus on protecting the ICT supply chains of Critical Information Infrastructure (CII).

In 2018, the U.S. Department of Homeland Security established the ICT Supply Chain Risk Management Task Force, a public-private partnership to develop consensus on risk management strategies to enhance global ICT supply chain security. The Task Force has released guidelines on the sharing of supply chain risk information, and risk considerations for managed service provider customers.

(source – Kaspersky)Gan also felt that when it comes to resilience, the global nature of ICT supply chains necessitates a stronger, coordinated response at every level. Globally, countries and international organizations (e.g., INTERPOL, the UN, ASEAN, Europol) have taken steps to tighten cooperation and share best practices.

For example, the United Nations Group of Governmental Experts and Open-ended Working Group are platforms that can be used by countries to develop consensus around cyber processes and norms. Conferences such as the UN Internet Governance Forum provide further opportunities to discuss at the working level. In 2020, Kaspersky together with its partners organized a workshop to discuss the need and ways to develop assurance and transparency in global ICT supply chains.

“While each of these platforms plays an important role in building consensus, exchanging knowledge and best practices, and harmonizing standards, moving forward, it is imperative to have more targeted conversations on global ICT supply chain resilience, given the wide-ranging types of actors and impact involved globally,” commented Gan.

On a national level, Gan added that governments must continue to drive nationwide efforts to establish a baseline level of cybersecurity across sectors through laws, regulations, guidelines, training requirements, and awareness building. The examples above provide a sense of some of the measures undertaken by governments.

“Given the integrated nature of ICT supply chain resilience, there is a particular need to develop core principles like security-by-design, technical standards, and legislative or regulatory frameworks to ensure a consistent level of cybersecurity and accountability across stakeholders. Self-assessment tools can also be published in addition to facilitating implementation,” said Gan.

At the same time, Gan also mentioned that cybersecurity is everyone’s business because collective cybersecurity is only as strong as that of the weakest link among users. To remain ahead of the game, a holistic approach involving all stakeholders is required.

“We must look beyond playing catch-up and reacting to cyber threats. It is imperative to take a long-term approach in designing the cybersecurity ecosystem, which includes building a strong talent pipeline to meet the needs of CERTs, forensic analysis teams, and IT departments, and designing CII that is secure-by-design,” she concluded.