How to protect your digital supply chain from Putin's Russia
Business has changed significantly over recent years. Increased complexity around digital landscapes, interoperability (the ability of computers to share and use information) and a reliance upon technology has grown the need for expert help – often part time contractors in specialist areas who can fill in the missing piece of the puzzle at a fraction of the time, cost, or ramp-up effort involved in hiring a full time equivalent.
Furthermore, the adoption of modular designs has led to the inclusion of multiple different third-party components in an application or service (such as IaaS, Paas, and SaaS) rather than to write bespoke code for every function, as may have been the case in the past.
The attack on the MOVEiT file transfer system would be a great example of this. Whilst these components help to improve efficiency and time to market for new products and services, they can lead to fragmented security and less than ideal compliance and adherence to company security policies, standards, procedures, and guidelines. This is especially so where third-party software components are included and where developers may not have adequate visibility to be diligently evaluating the security of these modules.
But it’s not just the outsourcing of software development or the inclusion of vendor modules that is of concern, but the very fragmented nature of the supply chain itself. Ensuring that all of your third-party vendors follow recognised security standards, perhaps to ISO27001 or other internationally recognised standards, may not be sufficient anymore. Further questions now need to be asked of these third parties, such as what security controls do you have in place and when was your last cybersecurity audit?
For these reasons, third party vendor and supplier risk is now considered one of the major open back doors to security. Not only have Iconic UK brands including Boots and British Airways succumbed to the MOVEiT breach but many of those same brands were subject to another compromise of third-party payroll provider Zellis only a couple of months ago. Prior to that was the devastating attack on IT supplier Advanced which caused significant damage to the NHS, putting patients at risks across the UK. Third-party vendor breaches have now become endemic. There has been such a spike in these types of attacks that the NCSC has issued fresh guidance to help organisations assess the cybersecurity risk of their suppliers.
Threats to our supply chains
Securing the entire supply chain can be very complex. We need to ensure that the vendors and suppliers of our vendors and suppliers are adhering to adequate security standards. Thus, 4th party, and 5th party, security is also critical. For example, while a Belgium vendor that outsources components of its software to a Dutch software house is fine, if that Dutch software development house, then contracts North Korean, Russian or Chinese developers then any notion of security trust just went out of the window. This is especially so where autocratic governments or crime syndicates may instruct developers to insert special code or a backdoor into the software they write. Notably, as we have seen in China, where threats are made to those individuals or their families if they do not comply with instructions.
While this may sound like the plot of a Hollywood spy movie, corruption of the supply chain is a common occurrence. A real-world example includes top-end American Supermicro motherboards, manufactured in China (PRC) were discovered in 2010 to contain a hidden substrate which contained a spy chip to call home to the PRC. The motherboards were supplied to the US Congress and to Google and Apple among others.
Rising concern with Putin’s war of aggression in Europe and a large number of Russian software developers now living outside of Russia is also a concern. While background checks on employees and contractors may go some way to lessen risks, true agents of the Kremlin will likely be hard to spot with their watertight covers. Similarly, a large diaspora of Chinese academics, students, and workers may also pose national security concerns. Just as many countries in Europe and America have found to their own detriment after technology and defence secrets found their way into Chinese military systems.
Risk to UK businesses
Many UK businesses face an existential threat to their very existence if they don’t seriously ramp up their security posture. However, according to the latest government data only around one in ten businesses review the risks posed by their immediate suppliers (13%), and the proportion for the wider supply chain is just 7%. Many worryingly believe that cybersecurity is not an important factor in the procurement process, whereas in fact, the complete opposite is true.
Similar threats exist against UK critical national infrastructure (CNI) industries including the NHS, Royal Mail, and the National Grid. Arguably, the UK now faces a greater threat from cyberwarfare than from kinetic attack, though as we are seeing in Ukraine both forms of warfare are being used alongside one another.
Furthermore, the PRC is reported to have close to 100,000 PLA cyber warriors working for the state. Their job is to break into and compromise critical and business systems of the rest of the world, to steel intellectual property and commercial trade secrets, and to establish footholds on CNI systems. While the war in Europe maybe front-of-mind for many people, the threat from China is probably far greater. China plainly has massive cyberwarfare capacity. While Russia’s state cyber apparatus maybe much smaller – GRU and FSB to name two - the country can and already has called upon the vast criminal mafia underworld of Russian hackers to support state-sponsored attacks and do so with some level of plausible deniability for the Kremlin.
Is the UK ready to confront such devastating adversarial cyberwarfare capabilities? Only the MOD and GCHQ know the answer to that question.
Are UK businesses prepared to defend themselves against an imminent attack? It sadly seems unlikely, and a lot of iconic UK brands may disappear forever.
Despite some great guidance and advice from the NCSC to help organisations assess the cybersecurity risk of their suppliers, many UK businesses have yet to adequately prioritise cybersecurity. There is after all a saying that ‘you can lead a horse to water, but you can’t make it drink’.
About Richard Staynings
Richard Staynings grew up in the UK and is now an internationally renowned expert in the field of healthcare cybersecurity. He has presented at security conferences across the world and has served on various government Committees of Inquiry into some of the largest healthcare breaches. He serves as Chief Security Strategist for Cylera, pioneers in IoT and IoMT (Medical IoT) cybersecurity with offices in Cheltenham, Madrid and New York, and teaches post graduate courses in cybersecurity and health informatics at University College Denver. Follow Richard on Linkedin or at Cylera.