The National Security Implications of Vulnerable Supply Chains

Conversations about supply chain risks and compromises continue to dominate much of the contemporary cyber security discourse. With high-profile 2023 incidents like the MOVEit supply chain breach hitting British organisations such as the BBC, British Airways, and Boots, the cascading impacts of vulnerable supply chains are clearer than ever. 

At the national security level, the risks of supply chain compromises get amplified beyond mere profit loss or privacy breaches to pose significant societal risks. Here’s a look at some of the key national security implications of vulnerable supply chains.

Cyber Security Vulnerabilities in Supply Chains: A National Security Perspective

Modern supply chains span complex networks of interlinked parties, where a cyber breach in one of those parties can spread across the whole chain via a domino effect. UK national security supply chains involve parties like the MoD, Home Office, defence contractors like BAE Systems and Rolls-Royce, logistics companies, software companies, and telecom providers. Cyber security vulnerabilities in supply chains can stem from issues like third-party vendor compromises, malicious software updates, embedded hardware flaws, insider threats, and outdated/unpatched systems.

In the private sector, just 13 per cent of UK businesses review the risks posed by their immediate suppliers (although the figure jumps to 55 per cent when just looking at large businesses). Here’s an overview of national security risks that make it clear why this figure should be closer to 90 or 100 per cent when looking at supply chains for critical sectors.

Sabotaging critical infrastructure

Cyber vulnerabilities in supply chains can be exploited to sabotage critical infrastructure such as power grids, water treatment facilities, and nuclear energy. Successful attacks can lead to widespread disruption and chaos. In the worst cases, sabotage of critical infrastructure endangers human life through issues like poisoned water supplies or leaking radioactive waste.

The risk of critical infrastructure sabotage hits close to home given recent news headlines. In July 2023, Several UK NHS ambulance organisations have been struggling to record patient data and pass it to other providers following a cyber-attack aimed at health software company Ortivus. Among the issues flagged, staff at South Central Ambulance Service Trust had been forced to use pen and paper following the incident and were being warned about the possibility of phishing attacks.

Conducting cyber espionage

Vulnerable supply chains provide an avenue for cyber espionage. Adversaries can exploit weak links to infiltrate networks and access sensitive government and military information to compromise national security. The economic slant to this espionage is the ability to steal intellectual property, trade secrets, and other valuable commercial information, and undermine the UK's competitive advantage in particular sectors like space tech, AI, etc.

A joint 2023 advisory issued by the UK’s National Cyber Security Centre (NCSC) and South Korea’s National Intelligence Service (NIS) warned of North Korean hackers conducting espionage and stealing advanced technology research via software supply chain attacks. These attacks used methods like compromising third-party software or leveraging zero-day vulnerabilities (weaknesses previously unknown to the software vendor).

Undermining communications

Communications infrastructure is the backbone of both civilian life and military operations, especially in today’s hyperconnected world. A compromised component within the telecommunications supply chain could lead to widespread surveillance, interception of sensitive communications, transport hazards to aviation and rail, or a complete blackout of critical communication channels.

Social unrest

If hackers target the supply chains of essential commodities like food, water, or medicine, social unrest is also a risk. The plausibility of this type of unrest is clear when you remember just how rapidly panic buying and food shortages set in during the Covid-19 pandemic. Social unrest destabilises the government and makes it harder for the relevant authorities to maintain public order and national security.

Increased Visibility Strengthens Critical Supply Chains in the UK

With these risks in mind, what are some difference-makers in increasing the resilience of national security against critical supply chain compromises? Here’s why increasing visibility should be the first port of call.

Many risks remain obscured or unrecognised due to the complex and layered nature of modern supply chains. These issues aren’t immediately apparent because they often lie in the less monitored or scrutinised parts of the supply chain, such as in small third-party vendors or the deeper tiers of suppliers (e.g. suppliers of suppliers). The MOVEit breach from 2023 was a case in point—the BBC and other British institutions were hit not because they ran MOVEit software, but because their payroll provider Zellis was hacked by the breach, which led to sensitive data access.

Better visibility allows for a more comprehensive understanding of where data is stored, processed, and transmitted across the entire chain. It also helps with uncovering potential weak spots that might be targeted by cybercriminals.

Real-time monitoring and faster response to intrusion are other benefits of improving visibility—advanced analytics and AI-driven tools can help detect anomalies and potential threats by continuously analysing data from various points in the supply chain.

Detailed mapping of the supply chain, including all tiers of suppliers, is imperative for understanding the full scope of potential cyber risks. Tools like visualisation software, supply chain management platforms, and ERP systems can all help here, but manual auditing also has its place.

Improved visibility extends to not only knowing exactly who and what comprises a supply chain, but also scrutinising the cyber security practices of third-party vendors and suppliers.
Regular assessments and audits help verify that external parties comply with stringent cyber security standards to reduce the risk of introducing vulnerabilities into the most critical supply chains.

Given the continued prevalence of software supply chain attacks where malicious actors compromise software before it reaches the end-user, visibility into the development and distribution process is paramount. Efforts here must include thoroughly vetting the security of code, monitoring updates, and ensuring the integrity of software components throughout the supply chain.

Overall, the national security implications of vulnerable supply chains are too serious to ignore. Start with better visibility and expand to other strategies, like using the UK government’s supplier assurance framework and 12 principles of supply chain security.