Over the next few weeks, the Cybersecurity Tech Accord is releasing a series of blogs from experts from across our company signatories exploring a pressing and complex issue: ICT supply chain security. Serving as the backbone of today’s interconnected world and the infrastructure of our daily lives, the ICT supply chain refers to the network of hardware, software, and other IT services that contribute to the development and distribution of digital products and services.[1] Sourced from different vendors from around the world, each of these components can represent a potential point of failure in a final product that could be exploited by malicious actors. These concerns are driving industry and governments alike to consider how best to protect the integrity of a global ICT supply chain upon which we all depend.
A growing threat and with unique risk
Unfortunately, the ICT supply chain has become a prominent target for attackers in recent years. In addition to NotPetya in 2017 and SolarWinds in 2020, two of the largest cyberattacks which targeted the ICT supply chain via malicious software updates pushed to customers, exploitations of vulnerabilities in the supply chain of ICT products have increased dramatically, becoming more sophisticated and severe. Earlier this year, in May 2023, the MOVEit supply chain attack compromised more than 130 global organizations including the BBC, Shell and British Airways, affecting the data of at least 15 million individuals. Orchestrated by cl0p, a ransomware group believed to be based in Russia, the attack was carried out by exploiting a zero-day vulnerability in a payroll system used by many organizations to facilitate secure file-sharing.
Also this year, in March 2023, Mandiant, a Cybersecurity Tech Accord signatory, responded to a supply chain compromise that affected the 3CX Desktop App, an enterprise software that provides communications for its users including chat, video calls, and voice calls. The attack, suspected to have been orchestrated state-backed group named UNC4736, compromised 3CX using a malware-laced version of the X_Trader, a commercial financial software. In its investigation, Mandiant was not able to assess the exact number of users affected by this attack, but the incident was the first time the security firm observed a software supply chain attack leading to another software supply chain attack.
These examples illustrate the unique risk posed by attacks on the ICT supply chain. These attacks don’t merely impact a single intended target, but rather compromise all organizations that use a corrupted version of commercial software. They enable attackers to infiltrate large scale networks by exploiting vulnerable and often-times small links in the ICT supply chain of digital products. They are inherently indiscriminate and leave impacted organizations with the challenges and costs associated with fixing their now-vulnerable systems, whether or not they were the intended target or ultimately victimized by the attackers.
Industry solutions and government action
In response, industry and governments alike are working to develop meaningful solutions that will help organizations better understand the respective components of their software supply chain and evaluate it for risk. This means not only knowing your vendors and understanding their security posture, but increasingly also knowing their vendors as well if they are part of the software supply chain. It also requires organizations vet the security of any open source software (OSS) that may be embedded in a commercial product. Ultimately, as with any other threat, there is no way to eliminate all risk, and so organizations need to take steps to ensure they can quickly identify and respond to security incidents when they occur, and build cyber resilience.
While governments are working to develop the necessary regulatory frameworks to incentivize best practices and comprehensive solutions, the involvement of state-sponsored hacker groups in these types of supply chain attacks adds an additional layer of complication. Nation-states increasingly use ICT supply chain attacks as a way to carry out espionage operations, and they are becoming an increasingly popular weapon tool for destructive attacks as well.
In short, there is a lot to unpack. And we hope you will join us in the coming days and weeks as our signatories explore this topic in depth – the current policy trends, standards and best practices organizations should be following, and what can be done at the international level to help protect the integrity of the global ICT supply chain.
[1] The European Union Cybersecurity Agency (ENISA) defines the ICT supply chain as “a system of organizations, people, technology, activities, information and resources involved in moving a product or service from supplier (producer) to customer”.