Supply-chain dependencies: Check your resilience blind spot
A panel discussion at DEF CON 33 last week, titled “Adversaries at war: Tactics, technologies, and lessons from modern battlefields”, offered several thought-provoking points, as well as a clear takeaway: while digital tactics such as misinformation and influence campaigns are useful in modern conflict, they are not going to win a war. That’s because when bombs start dropping and the physical elements of war are under way, the misinformation spreading through digital channels becomes less important. Understandably, the victims of conflict and those displaced have more urgent priorities: food, shelter and staying alive.
Turning the conversation to whether a war could be won using cyberattacks and digital disruption, there was also agreement among the panelists that cyberattacks create temporary damage, whereas a bomb landing on something is a more effective and lasting method of destruction.
The attacks against critical infrastructure in Ukraine potentially confirm this: Russia-aligned actors have launched numerous cyberattacks against the country’s power grid, resulting in temporary disruptions as systems can be rebuilt and made operational again in a relatively short period of time. Meanwhile, a bomb landing on a power facility is likely to cause long-term damage and limitation of service that could take months or years to restore. The big-picture conclusion on this part of the panel discussion is that a war cannot be won by cyber alone – it still needs to be won on the physical battlefield.
Cyber and physical security
The discussion then evolved to how cyber affects the physical. One panelist made the comment to the effect that “an army can’t fight if they have not been fed”. Put differently, as a growing number of civilian contractors are being used to provide the logistics needed to operate an army, making the attack surface broader than it may appear.
The panel used Taco Bell as a fictional analogy. A hacker could claim they modified the water supply in Taco Bell, but on closer inspection it could just be that they have tampered with a restaurant’s water cooler, which would not be enough to affect its operations.
However, a cyberattack on Taco Bell’s supply chain could bring it to an operational stop. How? By stopping deliveries of produce to the restaurant. This dependency could be even more obscure: an attack on the companies that supply the meat used in Tacos could potentially cause Taco Bell to cease operations due to a lack of ingredients for meals. The analogy holds true for the military: without food, the troops can’t fight or are, at best, limited.
What this means for your business
Moving beyond the panel discussion, this raises a critical question for businesses: do they really understand their dependencies to be operationally resilient? Do they understand the dependency their customers have on them to ensure the continued operation of their own businesses?
Sticking with the Taco Bell analogy, imagine a cyberattack that takes away a key element the business needs to operate; for example, if the company relies on a supplier for taco seasoning, then a cyberattack against the supplier could affect Taco Bell’s ability to keep operating. This isn’t mere speculation – there are real-world examples of cyberattacks that have caused this type of disruption. For example, the cyber-incident suffered by Change Healthcare, a health data processing firm, stopped medical services being provided across practices and hospitals.
Today, as far as I know, cybercriminals only extort payment from those they directly attack. But what if a cybercriminal decided to attack the third party and then demand an extortion payment from all the businesses that rely on that supplier? In my example, say the taco seasoning company is disrupted by ransomware, and while the cybercriminal may ask the seasoning company to pay a demand directly, they may actually gain more if they requested payment from all the companies reliant on the supplier’s product, as a lack of supply may cost them more than the supplier itself.
While this monetization strategy may seem speculative, there is an important point here: does your business truly understand its dependencies and how to mitigate the risk of attack on those it’s dependent on? A real-world example might be an attack on a catering company that is contracted to feed patients in a hospital. If the ability to feed patients is disrupted due to a cyberattack, then the hospital may have to declare a major incident and close admissions to new patients. In this scenario, would the hospital pay an extortion demand that brings back catering supply?
The key takeaway from this panel session for me is this: we all need to map and fully understand the dependencies we rely on and ensure we have resilience where needed. If we can’t get to a point of resilience, then we at least need to understand the risk posed by the dependencies.
