As Nation-State Hacking Becomes 'More in Your Face,' Are Supply Chains Secure?

As nation-state hacking becomes 'more in your face,' are supply chains secure?

In an era where nation-state hacking has become increasingly sophisticated and brazen, former US Air Force cyber officer Sarah Cleveland is sounding the alarm about the vulnerability of supply chains. In a recent interview with The Register, Cleveland warned that companies shouldn't wait for government mandates or warnings to take action, but rather should proactively secure their networks and supply chains against potential threats from groups like Beijing's Silk Typhoon.

Cleveland, who now works as senior strategic advisor for public sector at network intel infosec outfit ExtraHop, has seen firsthand the devastating effects of nation-state hacking. "Nation-state hacking has become more in your face," she says. "Before, it was gathering intelligence, stealing data or stealing just information, but now it has moved into manipulating systems and disrupting critical infrastructure." She cites Silk Typhoon as an example of a group that has been linked to the December US Treasury intrusions, and warns that similar attacks are on the horizon.

"What makes these attacks so insidious is that the attack surface, like critical infrastructure, has expanded and exploded just because of the way we use third-party vendors and contractors and cloud service providers," Cleveland explains. "So if any of those external entities are compromised, it opens up so many avenues to cause significant damage downstream, with cascading effects."

Cleveland acknowledges that not everyone will take drastic measures like installing solar panels on their roof – a personal precaution she took after realizing the potential for disruption in critical infrastructure. However, corporations should take immediate action to secure their supply chains and networks, rather than waiting for government intervention or threats of fines.

"I think it's always best to take care of yourself and your company, your information, your data, rather than waiting for others to tell you what to do or threatening you with fines," Cleveland advises. "Organizations, especially critical infrastructure owners and operators, need to be mindful of who they do business with and how they do business."

Even solar panels are not immune to potential threats, as most inverters used in the technology are manufactured in China, raising concerns about data flow and potential infiltration.

"Companies do need to invest in tools that will have a visibility and understanding of what their network is, where their data is going, and if there is infiltration," Cleveland emphasizes. "Enforcing zero-trust security policies, turning on multi-factor authentication, and having mature cybersecurity processes are equally important in combating supply-chain risks."

"Know who you're hiring, what you do with accounts, and if somebody leaves a company, how quickly could you de-provision it," Cleveland stresses. "Understand who gets access to what data, how that data is flowing – just having that visibility cuts down on a lot of risk."