3 Ways to Effectively Combat Emerging Supply Chain Vulnerabilities
What should be keeping you up at night? Your supply chain, duh, and great Netflix content, but the latter keeps all of us up.
So what exactly about your supply chain is the issue? Simply put, since your supply chain is mostly outside of your control, it’s a huge blind spot and almost impossible to adequately defend. My advice—mitigate global risk factors, gain as much control over your supply chain (as is viable), and ensure you have safeguards in place when your supply chain fails. Easier said than done, right?
Don’t worry; we will break it down together. Let’s start by taking a closer look at a possible threat case.
The Chatbot Scenario
Imagine you vet a third-party chatbot vendor. They are now authorized to be a point of presence on your website, after rigorous testing and multiple levels of approval.
You did it! Now you can check the box and call it a day, right? Well, not quite.
Let’s assume that the vendor gets breached, and the hackers use the trusted relationship the vendor has cultivated with you to their advantage (remember, the vendor passed all the rigorous testing). So what if the hackers change the chatbot to now prompt your customers to enter personally identifiable information (PII) to “verify” identity? Would you even know this is happening? The chatbot is not technically running on your web server. It’s running on the client’s machine. There is a high probability your marketing team is in charge of your website, or it’s primarily outsourced (either way, it’s not your security team). Would they know anything is wrong? How much PII will be lost before someone says something? And then let’s not forget GDPR (or CCPA).
Are you liable? This type of compromise happened to British Airways, hit with a record $230 million GDPR fine.
So needless to say, this would be a bad day (more likely bad weeks/months) for you and your company. Now let’s focus on three areas of concern: globalization, cloud, and edge computing.
Three Areas of Concern
Globalization is a modern reality that brings many benefits with it, along with many costs.
Should we hinder globalization? No, nor should we try, but we should be aware of the risks we take in the global arena. When you are vetting vendors, their county of origin needs to be considered. Why? Well, the laws that govern said county, will also impact how information is shared with nation-state governments. China, Russia, Iran, and North Korea have laws that are quite invasive and draconian, but what about other countries? Should you be concerned with India? What if an Indian vendor were to use a cloud storage provider in China? How does that affect you or your customers? Would you even think to ask?
Since I mentioned the cloud, let’s shift our focus there.
- The Cloud
Bottom line—you save money, you are more secure (in theory), but lose control.
More importantly, many people also feel that shifting to the cloud, also moves the risk to the cloud vendor, but does it? Ask yourself these questions: If your cloud storage provider suffered a data breach, would they notify you? How long would it take them to learn about the breach? But what if you knew of a data breach, do you have a way to get all logs from the cloud provider needed to conduct an internal assessment of the breach? Who do you call? What if the cloud provider is outside your country? What are the reporting requirements put forth by said country’s regulatory authority? Are you subject to their regulatory authority? Those are just some of the questions that should be considered.
The next area for concern is this notion of edge computing.
- Edge Computing
This is a relatively new concept that some define differently, so first let me explain what I mean by edge computing. I will use the definition given by The Verge:
The word edge in this context means literal geographic distribution. Edge computing is computing that’s done at or near the source of the data, instead of relying on the cloud at one of a dozen data centers to do all the work. It doesn’t mean the cloud will disappear. It means the cloud is coming to you.
So, in other words, it’s computing that occurs on the client’s device (computer or otherwise). So, where is this seen? Remember that chatbot example I referenced above? A chatbot is running on your customer’s equipment, but they likely don’t think about it. More often than not, they assume it’s running on your web server. Therein lies the problem—your customer believes your site is hosting the service. The customer trusts you, but what if the chatbot is compromised? Would the customer know? Would your team know, since the chatbot is running on the edge (generally outside their purview)? And what does this mean for your brand? No one thinks of the “Delta breach” in 2018 as the “7.ai breach” (the company that suffered the breach), for it doesn’t generate the same buzz.
A Way Forward
So what can we do about all of this, besides not use the Internet (which is out, since we love binge-watching Netflix)? Well, in theory, it’s somewhat simple —
- Mitigate Global Risk Factors
Two simple questions to ask prospective vendors:
- Where is your company headquartered?
- Where is my data going to be stored?
Why? Well, data is protected when held by a US company operating in the US by several US/international laws. As I stated previously, those same protections are not afforded to you when your data leaves the US, at least not in all countries.
Let’s focus on Russia.
Russian law empowers Russia’s security service, the Federalnaya Sluzhba Bezopasnosti (FSB), to use SORM (the acronym translates to “System for Operative Investigative Activities”) to collect, analyze and store all data transmitted or received on Russian networks. Data includes telephone calls, email communications, website traffic, and credit card transactions. The FSB does this through the installation of monitoring devices on all internet service provider networks; thus, allowing the FSB to collect all user traffic directly. So if you are working with a Russian company, your data/your customer data is not protected.
- Control Your Supply Chain
Be mindful that the cloud is not the panacea for all things security. The theory that cloud providers are more secure due to their dedicated focus on data storage (to include security) does make sense, but it is not a guarantee. Large cloud providers will not negotiate with companies, not even massive enterprises. Those facts are some things to keep in mind.
So how do you control them? Well, you don’t. But you can be selective with the information you give them and deploy encryption technology to enable you to lock down said data. Companies like Iconic can provide you some great options in this space.
Aside from the cloud, what about other digital supply chain issues? Enlist your security/legal team to help here. Some questions to think about are: Will the vendor share if they relocate your data to overseas locations? What cloud solution is the vendor using? Can you place some requirements in the contract not to allow data stored in certain countries? What is the vendor in violation of the agreement? What action can you take?
When I was in the FBI, I was privy to a situation where a computer networking equipment manufacturer operating inside their client’s network sent encrypted data to a foreign IP range (which was in direct violation of the stated contract). The data transfer was done unbeknownst to the client. When the client confronted the manufacturer, the manufacturer noted the data in question was used for quality assurance testing. Still, since the information was encrypted, the client couldn’t verify the manufacturer’s statement. These are the type of actions that companies need to monitor actively.
- Put Safeguards in Place
In the aforementioned FBI example—when your supply chain fails, you need to have safeguards in place to determine the failure. It would be best if your networking team would actively monitor activity on your network to look for suspicious behavior. They are companies like Expanse and DEVCON, with some up-and-coming technical solutions worthy of consideration.
Aside from 3rd party solutions, you should take part in getting Intel on what others are saying about vendors and emerging tech. Joining groups like National Cyber-Forensics and Training Alliance (NCFTA) (for companies), Infragard (for individuals), Business Executives for National Security (BENS) (for individuals, specifically executives), Overseas Security Advisory Council (OSAC) (for US companies with an overseas presence), and Domestic Security Alliance Council (DSAC) (for companies, explicitly Fortune 500), will give you insight on free Intel (save NCFTA, there is a membership fee). There are multiple levels of Intel to be gained; the big one is the human networking connection. If you harness those relationships correctly, they can serve as an early warning system for new, questionable, or issue ridden vendors, manufacturers, and contractors. People like to talk, share, and “dish the tea,” but you have to be present to partake in this exchange of Intel.
There you have it, how to effectively combat emerging supply chain vulnerabilities. The hard part is enacting everything, but that’s when you turn to the people around you—your team, your partners, and others that can lend a hand.
It’s a team effort; you don’t have to do it alone.