Cracks in the Cyber Supply Chain

The nature of modern software development makes it hard to know where code was actually written and by whom.

Robert Hannigan

Robert Hannigan chairs the international division of BlueVoyant, a cybersecurity company. Until 2017 he was the director of GCHQ, the U.K. signals intelligence agency, and he established the country’s National Cyber Security Center. He is a senior fellow at Harvard’s Belfer Center for Science and International Affairs.

Cybercrime groups are on the lookout for poorly defended parts of the digital supply chain to attack companies and governments. (Bill Hinton/Getty Images)

This summer, Elizabeth Denham, the U.K.’s information commissioner, issued an important ruling that sent quiet shockwaves through European corporate boardrooms. The ruling effectively expanded the responsibility of companies in relation to their software and technology supply chains.

The key development came from the fallout of the Marriott data breach, announced by the company almost exactly a year ago. The data loss itself, albeit a large one involving the personal and financial data — including names, addresses, credit card information, passport numbers and travel plans — of some 380 million customers across many countries, might once have been greeted with a shrug, embarrassing to the company’s reputation but just another in a list of similar breaches that customers are becoming wearily familiar with.

Yet the consequences of this attack are just beginning to unfold. The company faces multiple lawsuits in the U.S. and other jurisdictions. Accenture, to which Starwood, a Marriott subsidiary, and subsequently Marriott itself outsourced much of their IT operations, is also the subject of litigation.

“Traditional investment, due diligence and risk assessment processes need to catch up with the speed and sophistication of cyber threats.”

Denham announced in July that she intended to impose a fine of $123 million on the hotel group. While this is not a trivial amount for any company to face, the wider impact came in the report itself. Denham judged that the fine was appropriate because “Marriott failed to undertake sufficient due diligence when it bought Starwood.” In short, Marriott had acquired a company that had already been severely compromised by hackers, probably in 2014, and only spotted the breach two years after the integration of Starwood and the cross-infection of the wider group.

The regulator appears to be saying what ought to be obvious: traditional investment, due diligence and risk assessment processes need to catch up with the speed and sophistication of cyber threats. The data rooms of the future will need a much richer picture of cyber data and what it can tell us about a company’s relative cybersecurity readiness, what needs to be done to remediate the extant cyber risks and how much this will cost.

But due diligence in cyber is not only a concern for mergers and acquisitions. The same attempt to assess unquantified cyber risk is worrying every major company, especially in financial services, which understands this better than any sector. Even the best-protected institutions are increasingly aware that the thousands of vendors and suppliers connected to them are potential vectors for attack — weak links in their shields. As defenses are hardened, cybercrime groups are looking for poorly defended parts of the supply chain as an ideal way in. From IT providers to law firms and small investment houses to recruitment agencies, suppliers are a popular route for these attackers. Financial regulators, too, are increasingly focused on how to measure the cyber risk presented by individual banks to the wider system, both in the interests of systemic resilience and consumer protection.

“As defenses are hardened, cybercrime groups are looking for poorly defended parts of the supply chain as an ideal way in.”

At the high end of cyber threats, notably against the defense sector, risk in the supply chain has been a major national security concern in recent years. The Department of Defense inspector general sounded the alarm in July about the inadequacy of cyber due diligence in procurement decisions, highlighting the threats from hostile nation-states that may be embedded in off-the-shelf products and household-name services.

Situated at the critical end of the cyber-threat landscape, defense illustrates the problem of complexity: even understanding the hardware and software supply chain of a new network-enabled warship or aircraft is challenging. Thousands of companies are involved, each with a different level of access to sensitive information. It also shows that traditional methods of vetting are necessary but insufficient: even if the company flies a U.S. or allied flag, the nature of modern software development makes it hard to know where code was actually written, and by whom. And nearly all commonly available IT hardware is manufactured in China.

Of course, worrying about third-party risk is arguably a step forward: It points to the progress made by companies in addressing their own cyber exposure. It also suggests that we are having some success in raising the bar by hardening defenses, displacing cybercrime to softer targets. But all that will be little consolation: A piece of malware delivered through a weakly defended third party can be every bit as destructive as a spear-phishing email, with which we are all familiar, sent directly to our company.

“The nature of modern software development makes it hard to know where code was actually written, and by whom.”

If we are to avoid a future in which our entire global supply chain is increasingly untrustworthy, we will need a new approach to trust and verification. For governments, this will mean regulation of cybersecurity standards, some of which is already emerging. For companies, it will not be acceptable to take the word of suppliers that their security is good, and questionnaires allowing them to mark their own homework will no longer constitute due diligence.

Instead, companies will need to look at their vendors as an attacker would: from the outside, assessing their vulnerabilities, insisting on minimum security controls and practical remediation where necessary. And they will need to monitor the performance of these suppliers regularly, rather than taking a snapshot and hoping for the best.

In the cyber age, a company’s responsibility, like its attack surface, no longer stops at its own corporate boundary.