Breaking down a supply chain cyberattack
Learn the nature of this cyberthreat and actionable steps to mitigate these risks.
Countless organizations have devoted considerable amounts of resources and time building cybersecurity defenses in the last decade. However, efforts to build secure supply chain networks have only begun in recent years.
Indeed, it was not until the April 2021 compromise of SolarWinds software that led to a swath of intrusions across government entities and various industries that attacks on supply chain networks became a common concern within the C-suite. The heightened threat to distribution networks compelled businesses to rethink how best to protect existing infrastructure and allocate risks.
Anatomy of a supply chain cyberattack
Unlike typical cyberattacks, a supply chain infiltration requires more sophistication and patience than a script kiddie, phishing scam or brute force attack. However, while it is still possible that a supply chain cyberattack may commence as a typical phishing scam, the sophistication of a supply chain infiltration comes into play after the initial intrusion.
To successfully execute this type of attack, the actor must remain undetected in the organization’s technology infrastructure and move across different software to access the systems where the victim’s data or code resides. The level of sophistication required to stay hidden, combined with the prolonged waiting periods while surveying the systems and devising a compromise plan, leads to the inevitable conclusion that a nation-state actor often conducts such attacks.
An actor’s restraint from arising suspicion while persistently accessing a vendor’s software product over an extended period has its rewards. Disguised as legitimate software traffic, the actor gains entry to prospective victims’ systems running the impacted version of the compromised product. The actor has now infiltrated a new host organization by leveraging the initial compromise, potentially leading to additional victims. And the value of this technique is not sheer volume. It essentially converts legitimate software into an unintended Trojan Horse by which the actor bypasses well-designed security protocols.
In the case of SolarWinds, it was cybersecurity firm FireEye’s investigation of its compromise that identified the backdoor built into SolarWinds’ product. Here, the biggest challenge for the attacker is not the sophistication of the security defenses but the length of time before the compromise is widely detected. It is also worth noting that victims using the compromised software who do not sustain significant breaches likely evaded such fate simply because the attacker had prioritized other targets.
Existing state of supply chain agreements
Standard legal risk mitigation of supply chain cyberattacks includes contractual security requirements, audit and inspection, software warranties, and as a last resort, shifting liability to vendors. Unfortunately, these typical legal approaches have been slow to catch up to the ever-advancing attack tactics and rarely improve an organization’s security.
Legal discussion seldom includes the merits or weaknesses of embedded software or firmware. Questioning the origins of such code could lead to trade secrets’ uncharted territories, among other property rights questions. To avoid such inquiries, legal professionals devised warranties that the software is the lawful property of the vendor and free of malware.
It is also commonly accepted to use open-source code. Technology leaders such as Microsoft, Apple, and Google use open-source code to save development time, expedite product release dates, and lower consumer costs. With potential significant risks to open-source code as demonstrated by the recent Java Log4j intrusion, are these contractual provisions sufficient to protect an organization?
Knowing that 75% of the codebase in software is open-source, bad actors spend significant efforts to exploit this often overlooked link in the supply chain. In December 2021, the open-source vulnerability of Java’s Log4j rocked the industry. This exploit impacted software both acquired from vendors and internally developed applications. Attackers could compromise servers by stealing data, implanting ransomware and even mining cryptocurrency.
The terms companies impose on vendors to protect themselves against software supply chain attacks are inadequate as software agreements go. Most organizations are focused on protecting their infrastructure rather than preserving the ecosystem. Without concise and uniform standards representing the collective interests of the customer base, each customer would impose some version of the security requirements as reflected in their due diligence process. These varying and even contradictory conditions result in an inadequate “box-checking” validation process where vendors attempt to fit deficient security controls prescribed by one customer within various customer requirements.
Actionable steps to protect an organization
• Vendor’s security requirements
Contractual provisions imposing some level of security measures on the part of a vendor is an obvious requirement for software vendors (all vendors, for that matter). However, unless such terms are highly prescriptive and set cybersecurity incident prevention requirements beyond the traditional contractual language, it is unlikely to protect a company against a supply chain cyberattack.
As outlined above, while the initial intrusion of a significant supply chain cyberattack may often start with a simple phishing scam, the actor would have to stealthily move within the victim’s network to enact a supply chain cyberattack, ultimately embedding the malware in the vendor’s code. Such lateral movement takes time, providing the network’s defenders with an opportunity to expose the actor’s identity. The more sophisticated a vendor’s defenses and the shorter the average dwell time an actor has, the lower the risk of a successful supply chain cyberattack.
However, at this point, reputable software vendors will already meet a customer’s baseline security standards not because customers require it in their contracts but as part of the vendor’s primary fiduciary duties to protect its network from compromise. Further, while effective at determining or minimizing the impact of less sophisticated criminal cyberattacks, such baseline security standards would likely not be sufficient to stop a determined and sophisticated nation-state actor.
• Surveys, inspections & audits
Along the same lines as requiring baseline security standards, customers require responses to extensive surveys and, in some cases, conduct audits of vendors’ cybersecurity measures. Generally, those organizations are obligated to perform vendor security checks as part of due diligence under their policies. It is unclear whether such actions undertaken by an individual company truly enhance the security of one supplier, let alone the entire network. Most customers have limited resources, expertise or clout to examine a supplier’s technology or security protocols thoroughly. The most intensive review a typical customer would undertake is to collect a vendor’s affirmations regarding the product’s security, rendering an inspection a mere box-checking exercise.
Requiring annual independent audit reports is a good way of promoting better practices and leveraging advanced security measures as they become available. Perhaps for enterprise customers demanding such audits is feasible. However, in the case of smaller entities, the cost of comprehensive technology audits may be prohibitive. A small supplier could then shift the costs of conducting the audit to the buyer. It is just as crucial to enlist reputable audit vendors who maintain strict security measures and can provide appropriate documentation.
• Insurance, indemnification and liability shifting
The cost of cybersecurity insurance policies is skyrocketing, and brokers now consider what had been traditional coverages as “enhanced.” This is no surprise as cyberattacks increase, with the 2021 average ransom payment climbing by 82% from 2020, and the overall number of infiltrations soaring to 150% in 2021 over 2020. Savvy practitioners limit risks by resorting to cost-shifting clauses, thereby reducing their out-of-pocket expenses associated with cyber incidents attributable to a vendor’s lax security measures.
An in-house counsel inserting cyber security-specific indemnification clauses would cause ripples throughout the contracting process. As is, veteran technology companies dictate the terms of engagement and refuse to negotiate on smaller accounts. Law firms and attorneys representing enterprise accounts should insist on cyber security-specific indemnification language. Doing so is their responsibility, and they should have the clout to effect such change. Such provisions will facilitate the recoupment of costs associated with incident containment, notifications and losses. However, even if successfully added, a significant breach such as that experienced by SolarWinds would quickly run through the vendor’s insurance limits and deplete its assets, sending it into bankruptcy before it ever comes close to covering its customers’ damages.
For now, vendors should be made responsible for their products’ vulnerabilities with standard indemnification language, regardless of the contract value. Revisiting the liability caps is a must and ensuring that the vendor carries cybersecurity insurance with appropriate coverages and continues to maintain the same throughout the product deployment. These steps may not prevent attacks, especially those carried out by nation-states. Nevertheless, vendors will be incentivized to develop appropriate security controls, submit to rigorous stress testing, and build double and triple systems checks.
Brian Schmitt is associate general counsel at Hewlett Packard Enterprise. He has more than 15 years of experience in cyber, law enforcement and national security with extensive electronic communications and computer network intrusions experience.
Abeer Abu Judeh is an attorney, a Fortune 500 executive, and an innovation officer dubbed by “Business Insider” a “Rule Breaker.” She is a Member of the Board of Editors of “Cybersecurity Law & Strategy.”
Opinions expressed here are the author’s own.
Related: