One of the greatest threats to businesses lies deep in the supply chain, with software complexifying and new AI supply chain anxieties to worry about
The complexity of software in the modern enterprise means that supply chain breaches are becoming the norm. They’re one of the easiest ways into corporate environments, with third-party exposure a key obstacle organizations must learn to overcome.
In some respects, it seems like supply chain vulnerabilities have been more of a focus in recent years, although admittedly there have been concerns about the software supply chain as long as there has been software. However the nature of the tech stack is changing, including the growing adoption of artificial intelligence (AI) components and companies embracing open source.
As a result, in 2024, it’s more important than ever to double down on any steps organizations will have previously taken to ensure supply chain resilience. This is especially the case for larger companies with plenty of roots that run deep across the industry, for which it may be much harder to keep track of the entire supply chain.
The changing nature of the software supply chain
Supply chain resilience entails retaining service and function, even in the presence of failures of system components, professor of systems security at Oxford University, Andrew Martin, tells ITPro. But this is “very difficult to achieve in the supply of software”.
“Ideally, it means having the ability to swap software package A with software package B at short notice. It can also mean forward planning and table-top exercises to explore the impact of failure, unreliability, or loss of confidence in particular components, and evaluating whether the organization or service can operate with degraded function – as well as what to do next,” he adds.
“All that is easy to say, but I imagine it’s a bit of a dream for many organizations. That is perhaps the biggest concern here.”
The software in today’s landscape tends to have very complex supply chains, which has only opened the door to more exploitation. In previous eras, malware may have been successful in exploiting vulnerabilities that arose from human error. Cybercriminals are now jumping at opportunities to add their own vulnerabilities by manipulating the packages and components that may eventually filter into the tools and services that organizations use.
“It’s clear that we still have far to go in terms of supply chain security,” says Dr Jason Nurse, reader in cyber security at the University of Kent. “Cybercriminals understand the Achilles heel in the security of many organizations is who they work with. As such, they target attacks at third parties, contractors, and supply-chain partners, and use those avenues as a platform to compromise their true targets. We’ve now seen this on several occasions; supply chains need to be stronger.”
The result, according to a recent study, is a landscape in which no business is safe. Virtually every large organization across Europe suffered a supply chain breach, based on a SecurityScorecard report. That includes 97% of the UK’s FTSE 100, 98% of French companies, 94% of German organizations and 95% of Italian entities.
Part of the reason behind the prevalence of supply chain threats, according to Risk Ledger CEO Haydn Brooks, is that digitization has allowed organizations to outsource more than ever before. Executive teams, therefore, are now more comfortable outsourcing broader parts of the business to external suppliers.
“It’s not just third parties,” Brooks pointed out when speaking at InfoSec Europe 2024 in June. “When you go to a supplier they will be outsourcing stuff to their own third parties, which become fourth parties,” he said. When he asked if any of the security professionals in the audience had a list of fourth parties that their third parties worked with, not one participant could provide one.
The major incidents businesses have suffered in the last two to three years, adds Martin, has “brought the fragility into sharp relief”. The Crowdstrike incident in July underlined the seriousness of supply chain issues, he added. There has, however, been a positive move in that organizations are now more likely to include on their risk register “failure of security in a software supplier”. They are also mapping their supply chains in greater detail than before.
Strategies to make your supply chain more resilient
Key threats an organization faces, says Martin, include vulnerabilities used in common software libraries becoming a product flaw, products with broad access privileges like anti-virus tools being compromised and pre-installed software on devices already being compromised. Another growing concern is AI – and many professionals’ reliance on it.
“The new reliance on AI suffers from all the same issues. The AI models themselves and particularly the data on which they were trained form part of the supply chain,” Martin says. “If the training data is compromised or biased, the AI will produce unintended results. ‘Adversarial learning’ covers this eventuality, and many are becoming aware of the potential security failures.”
Forthcoming legislation may help lighten the burden. The push by the US and EU governments for a software bill of materials (SBOM), for example, would improve traceability in software by asking all applications to come with a complete inventory of the software that these tools rely on. The supply chain for AI will also be subject to greater attention. TechWorks, an industry association, launched the Trusted AI Bill of Materials (TAIBOM) project in April this year, which aims to create a framework to guarantee the origins of AI.
Although large businesses are often severely affected by supply chain issues, smaller organizations can take several measures to better protect themselves, Martin says. Chiefly, this involves updating procedures so that it’s possible to rapidly reverse if a new update or piece of software causes a problem. Larger businesses, meanwhile, should exploit the “leverage” they have and guarantee good practice and prompt disclosure. They can also demand that suppliers take on the burden of liability, should an issue occur.
“It’s more important than ever to understand the risk present in working within the supply chain and to manage it,” adds Nurse.
“This includes agreeing cyber security strategies, processes, and controls to protect the organization itself and also, a wider strategy to protect the chain. It is also exploring new risk treatment options such as cyber insurance, and pursuing continuous improvement in security across one’s business. Each organization in the chain must also consider and prepare for instances of an attack or incident on the chain or close partners in it, and be able to quickly act. Agility and preparedness are often the determining factor in how significant a company is impacted by an attack.”
As businesses strive to protect themselves in testy waters, understanding software supply chains and rooting out any possible problems is key. Those that can quick-swap faulty components will likely be able to withstand the very worst effects.
ITPro created this content as part of a paid partnership with BT. The content of this article is entirely independent and solely reflects the editorial opinion of ITPro.