When Russia invaded Ukraine, I knew there would be repercussions for global supply chains. But supply chain impacts like rising gas prices, or the inability of a train to cross Siberia to deliver goods from China to Europe, or the increased congestion this would cause at ports Chinese, weren’t the supply chain impact I feared the most. What I feared most was cyber warfare.
The cyber supply chain
I feared him because I had read Nicole Perlroth’s book, They tell me that’s how the world ends. The book won the FT & McKinsey Business Book of the Year award in 2021. Ms Perlroth covers cybersecurity and digital espionage for The New York Times. She covered Russian hacks of nuclear power plants, airports and elections; North Korea’s cyber attacks on movie studios, banks and hospitals; Iranian attacks on oil companies, banks and the Trump campaign; and hundreds of Chinese cyberattacks and their continued success in stealing intellectual property from multinational corporations.
I came out of the book with the chilling realization that if a nation-state with advanced cyber capabilities wants to hack a company, it can. And a hack doesn’t just mean data is stolen, it can be critical information held hostage or destroyed. There is almost nothing the company can do to stop a well-funded nation-state intent on committing these kinds of attacks. There are several reasons for this that are beyond the scope of this article. But because my coverage is focused on supply chain management, I’ll discuss it.
The servers, computers, tablets and smartphones we use are integrated into global supply chains, with components and assembly taking place in many countries. In 2018 it was reported, for example, that an iPhone is assembled by workers at the Foxconn factory in the Chinese city of Zhengzhou; and manufactured using raw materials and components from 43 countries. A hostile nation could require that computer components or assembly of components running in their domain contain “back doors” that can be exploited for cyber espionage or attacks. Additionally, some types of zero-day exploits, those built into hardware as opposed to software, are virtually undetectable. But even if a nation-state doesn’t need backdoors, there are plenty of employees in many countries who can be bribed or coerced by malicious actors into cyber compromising the components they build.
Sid Snitkin, Vice President of Cyber Protection Advisory Services at ARC Advisory Group, says the software supply chain is even more vulnerable. “When I was younger, I used to do some programming. Every line of code in an app would be written by me or a co-worker. Now an app is written by people grabbing a piece of code from here or a piece of there. Hackers attack small vendors. They embed malware in the code. Then when an IT professional receives a message to update the software, the software is contaminated. It is almost impossible to check if all these little bits of code are clean.
Efforts to Strengthen the Nation’s Cybersecurity
Last May, the Biden administration issued a executive order on improving the nation’s cybersecurity. There were several good prescriptions in this order, but the order was much more focused on improving cybersecurity for the federal government than for private companies.
Most recently, March 21st of this year, President Biden made a statement on our country’s cybersecurity. A support fact sheet had several best practices that businesses should follow. These best practices, however, were a better prescription for companies running on-premises applications than the last generation of cloud solutions.
Increasingly, core enterprise applications are hosted in public clouds operated by Microsoft, Amazon Web Services, Google and others. The tech companies that run these public clouds say the cybersecurity they provide goes beyond anything private companies could ever hope to achieve. It is undoubtedly true. But it is very likely that if a nation state wanted to cyberattack these cloud solutions, it would succeed. Additionally, removing these types of public clouds would compromise hundreds, if not thousands, of enterprise master data. As such, these public clouds, while harder to hack, are a much more attractive attack vector.
Detection and response
Mr. Snitkin agreed that if a nation-state wanted to compromise public clouds, it could. However, he said, the philosophy behind cybersecurity has changed. “Rapid detection and response is all you can do today. He also noted that AWS, Oracle, and Google will all back up their data.
But what if an attack is at the hardware level and almost impossible to detect? Mr. Snitkin acknowledged that some viruses introduced into a PC can embed themselves in firmware. Even if a company erases the software and reloads it, the virus still exists. This Shamoon virus that attacked Saudi Aramco in 2018 was an example. All CPs had to be destroyed and new ones deployed. It took days. “You have to clean up before you can start again,” Mr. Snitkin explained.
It was a similar story for Maersk, the world’s largest container shipper. Maersk’s computer systems fell victim to a malware attack using NotPetya, which was carried out by the Russian military to attack Ukraine, but which in fact also hit Maersk hard. All end-user devices, including 49,000 laptops, had to be destroyed. The whole companyAll 1,200 apps were inaccessible and about 1,000 were destroyed. Data was kept on backups, but the apps themselves could not be restored from those backups because they would have been immediately re-infected. About 3,500 of the company’s 6,200 servers were destroyed and could not be reinstalled. It took two weeks to restore all global apps. But Maersk, as even Maersk admitted, did not have a strong cyber defense strategy in place.
Mr. Snitkin is convinced that large public cloud companies would be able to safeguard their customers’ master data and use security solutions like data diodes to ensure that it remains out of the reach of players. malicious; but the process of restoring data to clean servers can take several days.
This reality makes a best practice particularly important; businesses must have contingency plans in place. Additionally, companies should conduct drills and drills on these contingency plans so that their employees are ready to respond quickly to minimize the impact of any attack. And if a business has critical partners—suppliers, contractors, and logistics service providers—your business needs to make sure they have those contingency plans and drills in place as well.