Cyberwarfare, cyberespionage, and cyberterrorism are no longer solely government problems. In the past few years, it has become clear that both public and private industries have been increasingly attacked. The first type of attack is intended to harm or halt a specific company and its operations. This typically takes the form of a Denial of Service (DoS), malware or ransomware attack. The attackers might be nation-state actors who want to gain an edge by compromising inside information or intellectual property—the second type of attack targets multiple entities. Again, the attackers may be nation-state-sponsored hackers, but their focus in this instance is stealing classified information from a foreign government. This information may be used to predict an enemy government's intentions or disrupt their activities.
The possibility of a successful compromise on both the public and private levels requires governments to remain constantly aware of threats and be prepared to deploy sufficient resources to protect themselves. Companies must take further measures to protect their brand, which is likely their most valuable commodity. Hackers can ruin an individual's or a company's reputation instantly. An early example of this comes to mind when HBGary Federal was compromised by the hacker group Anonymous, back in 2011. The attack ruined people's careers, and their dirty laundry was released on the Internet for all to see. HBGary, Inc. was acquired in early 2012 and never heard from again. A targeted cyberattack can cause irreversible damage to a company's brand. Remember, this breach happened over a decade ago. The digital battlefield in 2022 is much more complex and convoluted. Today, these kinds of security breaches happen so often that they go under the radar or are never reported. Underestimating today's cybercriminals has catastrophic results.
Intelligence Agencies and Foreign Governments
Firmware and software are often the targets of a cyberattack. When firmware and software are targeted, changes to the design or tampering with the product are used to gain unauthorized backdoor access in the future.
According to reports from 2020, the Chinese electronics firm Huawei had access to the mobile phone networks it helped construct and is currently in use worldwide. It had been employing backdoors designed ostensibly for law enforcement for over a decade, and it can be assumed that many of these backdoors are still in place. This information was revealed to the United Kingdom and Germany at the end of 2019, after the United States had detected access to 4G equipment since 2009. Although 5G technology is the new-kid-on-the-block, the world's first 5G network that was launched as recently as 2019, the supply chain security issues are still ripe for attacks in 2022 and are actively being exploited.
For example, due to growing investments in 5G technology by the US Department of Defense, past supply chain cyberattacks present multiple reasons to be cautious when evaluating key players in the global 5G market and the newly emerging enterprise open-source solutions. Possibilities for 5G include global situational awareness in real-time, smart hypersonic weapons with on-the-fly retargeting, rich access to mission-critical data at the front lines of conflict, and autonomous drones that can fly safely alongside passenger aircraft in commercial airspace. 5G promises ubiquitous high-speed data connectivity, which will allow for vastly improved intelligence, reconnaissance (ISR), and surveillance, as well as faster and more secure command and control, more efficient logistics, swarming unmanned vehicles, and widespread use of augmented and virtual reality for mission rehearsal and training. It would be devastating to the security of a country if a foreign nation-state acquires backdoor access to any of these technologies through a weakness in the supply chain.
Supply Chain Cyberattacks
Cybercriminals seek the easiest targets to hack, regardless of the data they contain, which is commonly known as "low-hanging fruit" in cybersecurity. A company's or organization's supply chain is vulnerable at each and every stage. Cybercriminals target the weakest links within the supply chain.
A compromise can take various forms and is frequently challenging to detect. The attack could be the work of a "nation-state threat actor," which means that a foreign government is trying to break into a company. The target is often a company that controls a nation's critical infrastructure, and the foreign government wants to gain a competitive edge by finding methods to steal data or intellectual property and disrupt services. Some nation-states have been known to infiltrate these companies by recruiting foreign nationals to work for years as well-respected engineers and software developers for target companies. Once in, these foreign nationals make malicious changes to the design of products, insert backdoors, and send classified product designs back to their home government.
The most recent software supply chain compromise in July 2022 involves a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. The attack consists of a collection of 1,283 malicious modules published automatically from over 1,000 user accounts.
NPM, or Node Package Manager, provides developers access to hundreds of thousands of JavaScript packages. This is an attractive target for attackers by either maliciously altering one or more of these libraries or deceiving programmers into using backdoored, identically named packages – enabling malware injection into libraries and apps that depend on the code.
It follows a similar pattern as the supply chain attacks on SolarWinds and Kaseya. In its 2022 Data Breach Investigations Report, Verizon revealed that supply-chain-based breaches account for approximately 10 percent of all cybersecurity incidents.
Supply Chain Risk Management Program
China, Russia, and Iran have been identified as significant sources of supply chain cyberattacks in North America and Europe. North Korea is close behind. Companies, organizations, and governments must initiate a Cyber-Supply Chain Risk Management (C-SCRM) program if they want to combat these threats.
All members of the executive management team must be committed to a Cyber-Supply Chain Risk Management (C-SCRM) program, and that commitment must extend to every level and every department. Without a top-down approach, the rest of the organization will not see supply chain security as mandatory and, therefore, won't enforce it. Every individual and department must collaborate to succeed as a whole. The responsibility does not lie solely with the security team.
A systematic approach to evaluating potential risks in the supply chain is required. Identifying, assessing, and prioritizing critical assets, systems, processes, and suppliers should be considered when creating a C-SCRM. Still, many organizations cannot identify all of their assets, which has led to devastating security breaches.
The ability to monitor suppliers' compliance with agreed-upon security requirements is of the utmost importance. Supply chain security requirements must be included in all terms of a contract with suppliers and vendors. Do they follow a Secure Software Development Lifecycle (SDLC)? Are they required to perform regular third-party security assessments?
By creating a shared threat platform for vulnerabilities, suppliers and vendors can work together to build mutually beneficial relationships increasing supply chain security.
J. Parks, CISO
Brightside Industries Group
Comments