The “ticking cyber-bomb”: global supply chains at high risk of cyberattacks

Kaspersky identifies the absence of a global policy response to supply-chain attacks as a ticking time-bomb that puts international cyber-stability at risk

• The lack of information sharing and trust are among key factors that hamper states and international actors from working out a unified international response mechanism
• At the RSA Conference 2021, Kaspersky joined experts from INTERPOL, FIRST and the Swiss Federal Department for Foreign Affairs to find ways to develop a much-needed global policy.

Supply chain attacks have proved very harmful in recent years. Amid increased digitisation, including at government and public services, organisations are more vulnerable to these types of threats than ever before. However, there is still no global policy response to fix value-chain risks, which represents a hazardous cyber-vulnerability.

Digital transformations make every organisation a software company that relies on a multitude of external vendors, adding to difficult-to-manage third-party threats. Their services contain codes that may have vulnerabilities, which put their interconnected users – industries, societies, countries – at risk. Nevertheless, due to various disagreements between states, the global community has not yet developed a global policy response to value-chain risks.

At the same time, Kaspersky researchers have been tracking several threat groups that focus on highly targeted supply-chain attacks – their findings indicate that threat actors target and exploit vulnerabilities in the updates and build systems for software, so users, who are asked to install patches, might reveal backdoors into their IT systems. One recent high-profile example includes Sunburst, which was used to compromise numerous public and private organisations around the world.

The key to increasing information sharing and improving trust between actors is vital to creating a global policy response to value-chain risks.

Speaking at a Kaspersky panel, Craig Jones, Director of Cybercrime at INTERPOL, said: “When the attack happens, people don’t dial 911 or call the police; we’re normally a second or third call after their IT security, but we should be among the first to investigate it – together with computer emergency response teams (CERTs), private partners and across borders.” To reinforce the need for a clear, collaborative and effective response process, Jones continued, “It’s in everyone's interest to thoroughly investigate incidents, as well as get and share as much information as possible to ensure IT security of the critical infrastructure.”

“Cybercriminals love ‘divide and conquer’ – if we’re divided, criminals flourish. That’s why this is our biggest challenge – much bigger than a technical challenge is to decide on how we all work better together,” added Serge Droz, Chair of Forum for Incident Response and Security Teams (FIRST).

“First of all, as the global community we need consensus – on how exactly international law applies in cyberspace, how human rights should be protected online, how norms of responsible state behavior should be implemented, and what the role of other stakeholders is. Second, we also need to implement what we agreed on and to hold those who violate agreements accountable for their actions,” noted Jon A. Fanzun, Special Envoy for Cyber Foreign and Security Policy, Swiss Federal Department of Foreign Affairs (FDFA).

In this regard, the Geneva Dialogue on Responsible Behavior in Cyberspace, led by the Swiss Federal Department of Foreign Affairs (FDFA), and implemented by DiploFoundation, is an example of building greater trust and closer community, particularly, within industry to shape a joint vision regarding the digital security and global policy processes for a trusted, secure, and stable cyberspace.

Planning ahead

Kaspersky believes that a safer world for everyone can only be built on mutual trust and collaboration. The company sees a need for a global incident response mechanism to address large-scale and significant cyber-incidents affecting UN Member states and their critical infrastructure.

“This mechanism can be based on providing recommended technical and operational national points of contact in the event of an attack. These would serve as a ‘final station’ in reaching out to a national CERT, law enforcement agency or cybersecurity professionals, where needed, to exchange technical information. It is important that incident responders remain neutral. Such a mechanism would not only ensure the means for a timely and coordinated global response and incident mitigation but would also help to enhance technical and operational capacities of the global community, thus contributing to greater cyber-stability,” says Anastasiya Kazakova, Senior Public Affairs Manager at Kaspersky.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialised security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

In 2017 Kaspersky launched its Global Transparency Initiative that includes a number of actionable and concrete measures to engage with the wider cybersecurity community and stakeholders in validating and verifying the trustworthiness of its products, internal processes and business operations. Learn more about it at https://www.kaspersky.com/transparency-center.