Earlier this year in February, the leader of the Lebanese militant group Hezbollah issued an urgent plea to its members. He asked them to bury their smartphones in an iron box and switch to low-tech communication devices such as walkie-talkies and pagers, fearing heightened Israeli surveillance in the wake of the Gaza war. Seven months later, several of these old-school devices abruptly exploded, killing dozens, including much of the Hezbollah’s leadership.
Israel's intelligence had found a way into Hezbollah’s analog environment. Learning the group had plans to source a large batch of pagers and walkie-talkies, it reportedly infiltrated their manufacturing supply chains and shipped booby-trapped hardware through a series of shell companies. All it then took was a signal to trigger the explosions across the country.
Hezbollah’s concerns over state-backed smartphone tracking weren’t unfounded, nor were the explosions that followed the first instance of supply chain warfare. In 2010, for example, a US-developed computer virus crippled an Iranian nuclear facility and two years later, the NSA tried to break into the Syrian internet via a bugged wireless router. Decades earlier, Israel itself brought down a notorious bomb maker with an explosive-infused cell phone.
Supply chain attacks are, by no means, a new phenomenon. But as businesses and countries increasingly digitize their operations, Israel’s latest breach sheds an urgent spotlight on cyber threats that can emerge from supply chain vulnerabilities.
The supply chain cyber-crisis
“Organizations rely on a complex web of suppliers,” says Michael Caruso, the Director of Third-Party Risk at Access Point Consulting, and each “represents a potential entry point for cyber threats.” It’s vital, therefore, adds Caruso, for them to “take proactive steps to enhance visibility into their supply chain and manage potential vulnerabilities.” Few do, however.
Even though supply chain attacks have soared by 430%, only a little over a quarter of surveyed businesses vet their new and existing suppliers for security purposes every year. By 2025, Gartner predicts, 45% of global organizations are projected to experience a software supply chain attack, a threefold jump from 2021.
An average digital project can have up to 200 dependencies and that has begun to take a toll on systems across the world, since hackers continue to go for an organization’s weakest third-party links. In 2017, for instance, Russia managed to bring down a range of Ukraine’s critical infrastructure by simply targeting a government-endorsed tax reporting software. Similarly, in 2020, threat actors took control of a network monitoring software from a firm called SolarWinds and breached hundreds of organizations, including parts of the US government.
The pillars of supply chain cybersecurity
Supply chain cybersecurity can no longer be merely a box companies check. Minimizing its associated risks rests on three fundamental elements, Santiago Torres-Arias, an electrical and computer engineering associate professor at Purdue University, told Access Point Consulting. It includes “traceability,” which is documenting the actions carried out in the supply chain, “transparency,” the ability to propagate that information, and “risk assessment,” which is to determine trust vectors based on the collected data.
Each element is multi-faceted on its own but together, they can enable enterprises to ramp up real-time monitoring and analytics to pre-empt anomalies and potential security breaches. A thorough software bill of materials from vendors, for example, can quickly help map and trace risks. A Managed Detection and Response (MDR) program, on top of that, can automate threat response and remediation.
No cybersecurity pipeline, however, is complete without an all-encompassing Cyber Supply Chain Risk Management (C-SCRM) program overseeing an organization’s internal and vendor channels.
“Security is a shared responsibility,” says Caruso, “and every department involved in sourcing needs to understand how their actions can influence cyber risk.”
For supply chain practices to be consistently applied, a formal C-SCRM framework is essential and allows businesses to define resilient policies, procedures, and governance structures that provide clear guidelines, from developing strong relationships with key suppliers to auditing and assessing that collaboration throughout the life cycle of the relationship, for managing supply chain risk.
Is the shift to domestic products enough?
Longer term, though, experts agree supply chain vulnerabilities are nearly impossible to monitor without government intervention, and some of that has already been put in place. In the US, for example, the CHIPS Act looks to localize silicon production and reduce reliance on foreign actors. That alone won’t prove to be a panacea, however.
Defending the integrity of globally produced software and hardware components demands a holistic approach that combines technical, procedural, and human factors. More supply chains will have to adopt transformative approaches like split manufacturing and logic locking, where a designer makes it impossible to inject malicious elements into hardware.
“With geopolitical shifts, as they are today,” adds Torres-Arias, “it is paramount that foreign policy becomes industrial policy, and industrial policy is informed by supply chain security risks.”
The AI age will only complicate supply chain protection further. Not only can Large Language Models expose sensitive, proprietary information, but they can also be hijacked and manipulated into facilitating misinformation campaigns and executing malicious prompts on internal systems. Before leveraging the gains unlocked by AI-powered upgrades, says Caruso, “adopt appropriate governance frameworks, security certifications, and monitoring tools to mitigate the unique threats posed by LLMs.”
Like the majority of cyber threats, managing supply chain risks is an evolving process, and to mount a robust defense against them, enterprises will need to build resilient foundations, on the basis of visibility, vigilance, and collaboration both within the organization and across the supply chain.
#SupplyChainAttacks #CyberThreats #ThirdPartyRisk #SecurityVulnerabilities #CyberWatch
