Supply chain attacks: What are they?
Supply chains are just as vulnerable to threats and attacks as data and software. We’ve always been told to be wary of things like emails from unrecognised or unfamiliar addresses, to be careful about who we’re sharing our credentials with. However, hackers are now starting to attack hardware and software relating to supply chains at their very source.
What is a supply chain attack?
A supply chain attack is a cyber attack that damages an organisation by targeting less well-protected elements of its supply chain. It can occur in any industry whether that be the financial sector, government sector, or oil industry. Cybercriminals are known to interfere with the manufacturing process of a product in order to sabotage it using a collection of computer software called a rootkit or hardware-based spying tools.
Hackers attack supply chains by writing malicious code or implementing a malicious component into a company’s trusted hardware or software. By doing this and compromising a supplier, cybercriminals are then able to hijack the supplier’s distribution systems allowing them to turn anything from what that supplier sells to any software updates they make and even any physical equipment shipped to customers, into a Trojan horse. With the malware carefully placed, these hijackers or criminals now have complete control over a supplier’s customer networks, which in some cases can account for hundreds or even thousands of victims.
What is a Trojan horse?
Similar to the wooden horse used by Greek soldiers to enter the city of Troy undetected, a Trojan horse in cybersecurity is a type of malware that misleads the target of its true intent to gain access to their software or hardware.
An example of a Trojan horse being used is when a cybercriminal lures their target by asking them to send a seemingly unsuspicious email attachment such as a form to be filled in or encouraging them to click on a fake social media advertisement. This is known as the Trojan horse, and if their target complies, it can give them access to the victim’s computer.
Explaining why supply chain attacks are particularly damaging, Nicholas Weaver, a security researcher at UC Berkeley's International Computer Science Institute, said: “Supply chain attacks are scary because they're really hard to deal with, and because they make it clear you're trusting a whole ecology. You're trusting every vendor whose code is on your machine, and you're trusting every vendor's vendor”.
SolarWinds: An example of a supply chain attack
An example of a severe supply chain attack happened in December last year. Russian hackers working for the country’s foreign intelligence service, the SVR, hacked the software organisation SolarWinds, planting malicious code in its Orion IT management software. This allowed them to gain access to almost 18,000 networks that used Orion around the world.
The SVR then went deeper into the networks of US federal organisations, including The US Department of State, The US Department of Defense, the Department of Justice, and NASA.
The rise of supply chain attacks and future protection
Threats and attacks aimed at supply chains are on the rise, and one reason for this could be due to the improved defences against more common areas susceptible to cyber attacks. As a result, cybercriminals have turned their attention to more vulnerable areas with easier access, such as supply chain networks. Nicholas Weaver from UC Berkeley’s International Computer Science Institute said: “It's partially that you want bang for your buck, and partially it's just that supply chain attacks are indirect. Your actual targets are not who you're attacking. If your actual targets are hard, this might be the weakest point to let you get into them”.
Preventing future supply chain attacks, however, is not a simple task. The reason for this is that hardware supply chain attacks are notoriously hard to detect. Beau Woods, a Senior Advisor to the Cybersecurity and Infrastructure Security Agency suggests that one solution to prevent them from happening in the future is for companies to focus more on the organisational aspect of them rather than the technological. “Companies and government agencies need to know who their software and hardware suppliers are, vet them, hold them to certain standards”, he said.
He concluded that the same vetting is “just as necessary across the private sector. And private companies—just as much as federal agencies—shouldn't expect the epidemic of supply chain compromises to end any time soon”.
Biden establishes Supply Chain Disruptions Task Force
The US government is to establish a new body with the express purpose of addressing imbalances and other supply chain concerns highlighted in a review of the sector, ordered by President Joe Biden shortly after his inauguration.
The Supply Chain Disruptions Task Force will “focus on areas where a mismatch between supply and demand has been evident,” the White House said. The division will be headed up by the Secretaries of Commerce, Transportation, and Agriculture, and will focus on housing construction, transportation, agriculture and food, and semiconductors - a drastic shortage of which has hit some of the US economy’s biggest industries in consumer technology and vehicle manufacturing.
“The Task Force will bring the full capacity of the federal government to address near-term supply/demand mismatches. It will convene stakeholders to diagnose problems and surface solutions - large and small, public or private - that could help alleviate bottlenecks and supply constraints,” the White House said.
In late February, President Biden ordered a 100 day review of the supply chain across the key areas of medicine, raw materials and agriculture, the findings of which were released this week. While the COVID-19 health crisis had a deleterious effect on the nation’s supply chain, the published assessment of findings says the root cause runs much deeper. The review concludes that “decades of underinvestment”, alongside public policy choices that favour quarterly results and short-term solutions, have left the system “fragile”.
In response, the administration aims to address four key issues head on, strengthening its position in health and medicine, sustainable and alternative energy, critical mineral mining and processing, and computer chips.
Support domestic production of critical medicines
- A syndicate of public and private entities will jointly work towards manufacturing and onshoring of essential medical suppliers, beginning with a list of 50-100 “critical drugs” defined by the Food and Drug Administration.
- The consortium will be led by the Department of Health and Human Services, which will commit an initial $60m towards the development of a “novel platform technologies to increase domestic manufacturing capacity for API”.
- The aim is to increase domestic production and reduce the reliance upon global supply chains, particularly with regards to medications in short supply.
Secure an end-to-end domestic supply chain for advanced batteries
- The Department of Energy will publish a ‘National Blueprint for Lithium Batteries’, beginning a 10 year plan to "develop a domestic lithium battery supply chain that combats the climate crisis by creating good-paying clean energy jobs across America”.
- The effort will leverage billions in funding “to finance key strategic areas of development and fill deficits in the domestic supply chain capacity”.
Invest in sustainable domestic and international production and processing of critical minerals
- An interdepartmental group will be established by the Department of Interior to identify sites where critical minerals can be produced and processed within US borders. It will collaborate with businesses, states, tribal nations and stockholders to “expand sustainable, responsible critical minerals production and processing in the United States”.
- The group will also identify where regulations may need to be updated to ensure new mining and processing “meets strong standards”.
Partner with industry, allies, and partners to address semiconductor shortages
- The Department of Commerce will increase its partnership with industry to support further investment in R&D and production of semiconductor chips. The White House says its aim will be to “facilitate information flow between semiconductor producers and suppliers and end-users”, improving transparency and data sharing.
- Enhanced relationships with foreign allies, including Japan and South Korea will also be strengthened with the express proposed of increasing chip output, promoting further investment in the sector and “to promote fair semiconductor chip allocations”.