Pedro Fortuna, CTO and co-founder of Jscrambler, discusses how governments have looked to strengthen defences against web supply cyber attacks
To maintain user and company protection, he paradigm of web supply chain security needs a rethink.
As more and more businesses are relying on technology or moving entirely online, security concerns keep arising. This is the case with supply chain security, which has gained popularity in discussions after huge cyber attacks such as the SolarWinds incident. In line with these concerns, we have seen governments become involved and take action to strengthen national cyber security defences against software supply chain attacks.
First, we saw the US government put out an executive order, and then it was the UK’s turn. The government has announced a call for views on the defence against software supply chain attacks and ways to strengthen IT managed service providers (MSPs) across the country.
Now, if we take a look at some recent statistics, we can quite clearly realise the importance of the stance taken by the UK government. In the DCMS’ Cyber Security Breaches Survey 2021, it was found that just 12% of businesses have reviewed cyber security risks posed by their immediate suppliers, and only 5% have done this for their wider supply chain. These numbers not only showcase the extreme lack of visibility businesses have over their supply chain, but consequently they also show the perfect environment attackers have to thrive.
The UK Government must keep an eye on its vulnerable supply chain
Supply chain security has also become a paramount concern when it comes to the Web, especially after a series of sophisticated attacks like the recent Codecov incident. When we look at the nature of web supply chain attacks, we see that it is reliant on the fact that companies have hundreds of third-party suppliers, and it is extremely hard for them to analyse the integrity of every single one of them — so they are left with a security blind-spot. When an attacker takes advantage of this and manages to change the source code of one supplier, they can inject arbitrary code into multiple websites without having to directly breach them. Naturally, this approach is quite popular, because it is scalable and low-effort when compared to the number of targets that can be hit with just one breach.
So, how can businesses effectively protect themselves from web supply chain attacks? Currently, the best approach seems to be based on gaining real-time visibility and control of the behavior of each third-party provider. This means that businesses should first monitor each of their website scripts and be alerted when suspicious activity takes place. However, for an in-depth security approach, organisations need to go beyond visibility and must be able to control those different behaviors and restrict them.
Now, the key to effectively controlling web supply chains is for companies to be equipped with a strong set of ground rules that define how each of their website components can and cannot behave. This would then result in automatic responses that would block malicious behaviours, making sure that businesses maintain the integrity of their websites.
The UK government’s initiative is a step in the right direction and it is expected to contribute exactly to that integrity by bringing more awareness and guidance to businesses. Getting the information across to organisations and showing them how they can protect their supply chain is a crucial part of the nationwide cyber resilience efforts. And although complete cyber resilience is a complex matter that will certainly develop over a long period, the paradigm of web supply chain security definitely needs to change fast to protect both businesses and users from damaging consequences.