Challenges In The Hardware And Software Infrastructure Supply Chain

Challenges In The Hardware And Software Infrastructure Supply Chain

Yuriy Bulygin is CEO and co-founder of Eclypsium.

Today’s modern global economy, much like the internet itself, operates like an intricate web where everything has grown increasingly interconnected and interdependent. Just as the strongest web can be undone by pulling a single thread, so too can the supply chain of digital infrastructure.

In the domain of cybersecurity, we are dealing with our own supply chain uncertainties that are subject to many of the same macroeconomic entanglements, and their impact extends far beyond matters of trade and commerce and into the realm of national security.

At the center is a complex supply chain of software code and hardware-based components that a sprawling ecosystem of global suppliers develops and maintains—from networking equipment, security appliances and IoT devices to applications, virtual machines and the open-source software that powers every device and piece of equipment in a network’s infrastructure.

In the race to manufacture equipment at the lowest possible cost, original equipment manufacturer (OEM) providers will acquire and integrate components from dozens—if not hundreds—of third-party technology vendors. Increasingly, threat actors have recognized that this complexity represents an opportunity to weaponize it for their own nefarious purposes.

Take the September 2023 CISA advisory on BlackTech, the state-backed group linked to the People’s Republic of China (PRC) that’s been able to successfully compromise public-facing routers—enabling it to open backdoors and establish persistence in its victims’ networks. There was also the hack involving SolarWinds in late 2020 in which a vulnerable software update affected thousands of enterprise customers.

Because the preinstalled software that hardware manufacturers and component suppliers use plays such a critical role in every device in the infrastructure, it also makes it a most attractive target for today’s threat actors. Since it’s buried so deep across the technology stack, many IT security leaders have been lulled into complacency—blissfully unaware of the danger that lurks beneath.

It’s also why many threat actors have devoted more resources to exploiting these vulnerabilities. The Volt Typhoon campaign, which has been attributed to the PRC, is just the latest example of a state-sponsored attack that targets underlying supply chain components to maintain stealth and escalate network privileges.

According to the Microsoft post detailing the threat, the Volt Typhoon campaign “is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises [and] has been active since mid-2021.” In other words, one of our top adversaries may have been digging around some of our nation’s most sensitive military secrets.

What’s hiding in your digital supply chain?

It’s been more than a decade now since Marc Andreessen proclaimed that “software is eating the world.” By this, he meant that every business, regardless of its industry, must embrace a software-first approach or risk being outpaced by competitors that do. Indeed, his prediction has come to pass, as software is now ubiquitous—from the apps we use on our phones and the software that runs our vehicles to the embedded software that powers every piece of infrastructure hardware in the modern IT stack.

Consider the laptop that you might be using at this very moment. Whether it’s a MacBook Pro, a Dell or a Lenovo, each one of these manufacturers relies upon dozens of direct suppliers who, in turn, source their components from hundreds of subordinate suppliers from across the globe. Even if you explicitly trust a particular vendor, how confident can you be that all of its suppliers are adhering to industry-accepted security best practices?

Unfortunately, there are no easy ways to root out potential vulnerabilities that exist deep within the digital supply chain. Whereas network scanning tools are designed to scan known, accessible systems, they weren’t designed to penetrate the depths of a multitier supply chain to evaluate the security postures of all entities involved.

Because modern supply chains are highly dynamic with new suppliers being added and subtracted according to economic pressures or regulatory requirements, maintaining a consistent and comprehensive overview of all of these parties can overwhelm even the largest, most sophisticated enterprise organization.

This challenge was exemplified in the CISA advisory on the LockBit ransomware, which has quickly grown to become one of the most pervasive threats. It accounted for 16% of government ransomware incidents in 2022 and notably has increasingly set its sights on the vendor supply chain ecosystem. In 2023, a zero-day vulnerability dubbed Citrix Bleed was discovered that allowed LockBit to hijack authenticated sessions and compromise numerous organizations, including Boeing and Toyota Financial Services.

The challenge of securing the digital supply chain is further complicated by the fact that software is embedded far and wide across the hardware ecosystem—from the endpoint devices to the thousands of network peripherals that route traffic and authenticate users, and now to the billions of connected IoT devices that power the global supply chain.

Further obscuring the issue is the fact that few hardware vendors write their own software, instead relying on their supply chain partners who typically license it from a third party or integrate a variety of open-source software into their own end product.

2023 saw a number of high-profile ransomware attacks on major supply chain vendors. A ransomware attack crippled a partner of semiconductor giant Applied Materials, disrupting shipments and causing it to miss an estimated $250 million in sales. Technology conglomerate Cisco suffered a ransomware campaign that exploited two zero-day vulnerabilities to create admin accounts and install implants on Cisco IOS XE devices, compromising over 40,000 devices.

In a future article, I plan on looking at the steps security leaders should take to improve resiliency and ensure the integrity of their downstream supply chains.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


link

Leave a Reply

Your email address will not be published. Required fields are marked *