Supply chain securitySupply Chains Have a Cyber Problem

By Jonathan William Welburn

In May, JBS S.A., the world’s largest meat producer, suffered a ransomware attack disrupting beef production in the United States, Canada, and Australia. That came after another ransomware attack, then against Colonial, disrupted gas supplies in the eastern United States and drove up prices. If it wasn’t before, it’s now painfully clear that the intersection of cyberattacks and supply chains creates a wicked new form of risk—and the stakes are as much about national security as they are economics.

Last December, for example, hackers breached the company SolarWinds and compromised a software product called Orion. Orion, sitting within the software supply chain of numerous government agencies and nearly all of the Fortune 500’s firms, gave the hackers unfettered and trusted access to sensitive systems for months without detection. This was the most prominent example to date of what cybersecurity analysts call a “supply chain attack”—one in which hackers gain entry to an organization’s systems through its computer hardware or software vendors.

SolarWinds wasn’t the first big supply chain attack, however. In 2017, the NotPetya cyberattack crippled thousands of organizations worldwide. Hackers in that case compromised accounting software used by companies, hospitals, schools, and government agencies. That gave hackers the ability to destroy tens of thousands of computers in a single attack. The effects rippled outward like a shockwave. And once the malware reached companies like Maersk, the large shipping company at the center of global supply chains, the digital supply chain disruption turned into a physical supply chain disruption worldwide.

This is the first part of the cyber problem in a nutshell: Disruptions keep traveling through software linkages, stalling new parts of the physical supply chain.

But the reverse is potentially true as well: Compromised physical goods can become cyber risks.

The saga over Supermicro is Exhibit A. In 2018, Bloomberg Businessweek reported that Chinese spies had compromised the San Jose company’s computer hardware. Supermicro produced motherboards for another company, Elemental, which uses them in very expensive video-processing servers. The Bloomberg article alleged that somewhere along this production chain, subcontractors inserted a tiny chip that allowed a hack on Elemental’s downstream customers including banks, Apple, and the U.S. Department of Defense.

The report has been met with consistent denial and backlash. But it provided a window into how devastating infiltrating computing supply chains could be. That, of course, may make such targets even more attractive to not just spies but also cybercriminals.

Don’t expect an end to cyber-driven supply chain disruptions any time soon. Hackers prey on targets with a large “attack surface.” The more open ports to exploit, open machines to corrupt, or even open humans willing to open suspicious emails, the larger the attack surface. Supply chains, by linking together hundreds if not thousands of firms, present the perfect attack surface.

We are quickly entering a world where cyber disruptions easily become supply chain disruptions, and where supply chains for hardware and software create new cyber risks. Managing these will demand digital-era solutions, including updating tools, regulations, and reporting requirements.

One move in that direction is the Biden administration’s recent Executive Order on Improving the Nation’s Cybersecurity. It tells the Department of Commerce to develop standards and procedures for a Software Bill of Materials—basically a list of digital ingredients. This kind of labeling could allow analysts to trace bits of vulnerable code to their end use in software. That is a crucial first step. The next? Mapping the firms—or whole industries—that rely on particular software so that the vulnerable businesses might be warned.

Jonathan Welburn is an operations researcher at the RAND Corporation.This article is published courtesy of RAND.