Supply chain attacks have proven very successful in recent years. Amid increased digitisation, including at government and public services, organisations are more vulnerable to these types of threats than ever before.
However, there is still no global policy response to fix value-chain risks, which represents a hazardous cyber-vulnerability. To address this issue and find possible routes to a solution, Kaspersky has held a special panel discussion within the RSA Conference 2021.
The panel, titled: ‘The ticking ‘cyber-bomb’ and why there’s no global policy response to fix value-chain risks?’, featured Craig Jones, director of cybercrime at Interpol, Jon Fanzun, special envoy for cyber foreign and security policy at the Swiss Federal Department of Foreign Affairs (FDFA), and Serge Droz, chair of the Forum for Incident Response and Security Teams (First).
Digital transformations make every organisation a software company, which relies on a multitude of external vendors, adding to difficult-to-manage third-party threats. Their services contain codes that may have vulnerabilities, which put their interconnected users – industries, societies, countries – at risk.
Nevertheless, due to various disagreements between states, the global community has not yet developed a global policy response to value-chain risks.
At the same time, Kaspersky researchers have been tracking several threat groups that focus on highly targeted supply-chain attacks – their findings indicate that threat actors target and exploit vulnerabilities in the updates and build systems for software, so users, who are asked to install patches, might reveal backdoors into their IT systems.
One recent high-profile example includes Sunburst, which was used to compromise numerous public and private organisations around the world.
The panel discussion participants highlighted that increasing information sharing and improving trust between actors is vital for building a constructive dialogue to create a global policy response to value-chain risks.
“When the attack happens, people don’t dial 911 or call the police, we’re normally a second or third call after their IT security, but we should be among the first to investigate it – together with CERTs, private partners and across borders,” says Interpol’s Jones.
“It’s in everyone’s interest to thoroughly investigate incidents, as well as get and share as much information as possible to ensure IT security of the critical infrastructure.”
First’s Droz adds: “Cybercriminals love ‘divide and conquer’ – if we’re divided, criminals flourish. That’s why this is our biggest challenge – much bigger than a technical challenge is to decide on how we all work better together.”
“First of all, as the global community we need consensus – on how exactly international law applies in cyberspace, how human rights should be protected online, how norms of responsible state behaviour should be implemented and what the role of other stakeholders is. Second, we also need to implement what we agreed on and to hold those who violate agreements accountable for their actions,” notes the FDFA’s Fanzun.
In this regard, the Geneva Dialogue on Responsible Behavior in Cyberspace, led by the Swiss Federal Department of Foreign Affairs (FDFA), and implemented by DiploFoundation, is an example of building greater trust and closer community, particularly, within industry to shape a joint vision regarding the digital security and global policy processes for a trusted, secure, and stable cyberspace.
Kaspersky believes that a safer world for everyone can only be built on mutual trust and collaboration. The company sees a need for a global incident response mechanism to address large-scale and significant cyber-incidents affecting UN Member states and their critical infrastructure.
“This mechanism can be based on providing recommended technical and operational national points of contact in the event of an attack,” says Anastasiya Kazakova, senior public affairs manager at Kaspersky.
“These would serve as a ‘final station’ in reaching out to a national CERT, law enforcement agency or cybersecurity professionals, where needed, to exchange technical information. It is important that incident responders remain neutral.
“Such a mechanism would not only ensure the means for a timely and coordinated global response and incident mitigation but would also help to enhance technical and operational capacities of the global community, thus contributing to greater cyber-stability.”