SolarWinds was not the first supply chain cyber attack and it won’t be the last. Everyday companies find themselves compromised through their vendors, who unknowingly deliver attacks — especially ransomware in the past year — to the customer company. Once a compromised company is delivering a sophisticated attack through a software upgrade it’s already too late to do anything but contain the damage. The first line of defence needs to be upstream — at the point where the supply chain company is first compromise

In an earlier post I talked about the principles of supply chain compromise. But C-Suite executives…

The cyber attack still unfolding in the US may turn out to be the most serious nation state espionage campaign in history. Assessing the possible damage and clearing up the infection will take many months and will extend to the thousands of government departments and FTSE companies in many countries that used SolarWinds Orion software for managing their networks, since it was the regular upgrades to this which delivered at least part of the infection. If Russian intelligence agencies were responsible, we should assume the damage goes beyond mere espionage — they may use the access to alter, monetise or destroy corporate and government data.

Read more:

Governments and regulators are worrying about third party cyber risk. They clearly regard the current approach as inadequate. Large organisations are also worried — but the scale of the task for overstretched teams is daunting. They are struggling to keep up with the threat for three key reasons.

1. Prioritisation. The scale of the supply chain ecosystem for most companies is so large that they have no choice but to prioritise, trying to identify those suppliers that are ‘critical’. But traditional priority categories don’t necessarily work for cyber because they may not be where the risk comes from. The top…

The West’s approach to Chinese advances in technology over the past twenty years has been almost entirely reactive, complacent, and belated. Worse, the democratic world has looked to its own technologists as proxies for a wider political strategy in handling the rise of China. There has been no coherent strategic political approach capable of reacting to Beijing’s newly aggressive stance — highlighted by its abuse of power in Hong Kong — and an apparent inability within or between western governments to decide whether China is an opportunity or a threat. …

Governments rarely make their best decisions in a crisis. Crises do not lend themselves to perfect policy making. There is no time for the careful analysis and discussion of unintended consequences that would normally be seen as essential. A pandemic requires us to settle for ‘good enough’, to avoid making perfection the enemy of what works, and get on with whatever saves lives. That is true of vaccine development, drug therapies and testing products, and it is also true of contact tracing technology solutions. But just as we are clear about the safety and efficacy redlines for a vaccine, however…

The nature of modern software development makes it hard to know where code was actually written and by whom.


Robert Hannigan chairs the international division of BlueVoyant, a cybersecurity company. Until 2017 he was the director of GCHQ, the U.K. signals intelligence agency, and he established the country’s National Cyber Security Center. He is a senior fellow at Harvard’s Belfer Center for Science and International Affairs.

This summer, Elizabeth Denham, the U.K.’s information commissioner, issued an important ruling that sent quiet shockwaves through European corporate boardrooms. The ruling effectively expanded the responsibility of companies in relation to their software and technology supply chains.

The key development came from the fallout of the Marriott data…

Extracts from a speech at the launch of the IISS Japan Chair — Tokyo, 5 June 2019

At a time of strained relations between our mutual ally, the Unites States, and China — much of it centred on technology competition and cyber threats — I wanted to reflect for a few moments on two great challenges for Japan, the UK and other democratic countries which arise from new global trends in technology.

Every democratic country is grappling with the same questions. How can we reduce the impact of cyber attacks on our citizens and our economies in the future? And…

Robert Hannigan

Cyber Security Specialist. Chairman of BlueVoyant International. Former GCHQ Director & Founder of UK National Cyber Security Centre. Views are his own.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store