Cracks in the Cyber Supply Chain — Robert Hannigan

The nature of modern software development makes it hard to know where code was actually written and by whom.

DECEMBER 16, 2019 ROBERT HANNIGAN

Image for post
Image for post

“Traditional investment, due diligence and risk assessment processes need to catch up with the speed and sophistication of cyber threats.”

Denham announced in July that she intended to impose a fine of $123 million on the hotel group. While this is not a trivial amount for any company to face, the wider impact came in the report itself. Denham judged that the fine was appropriate because “Marriott failed to undertake sufficient due diligence when it bought Starwood.” In short, Marriott had acquired a company that had already been severely compromised by hackers, probably in 2014, and only spotted the breach two years after the integration of Starwood and the cross-infection of the wider group.

“As defenses are hardened, cybercrime groups are looking for poorly defended parts of the supply chain as an ideal way in.”

At the high end of cyber threats, notably against the defense sector, risk in the supply chain has been a major national security concern in recent years. The Department of Defense inspector general sounded the alarm in July about the inadequacy of cyber due diligence in procurement decisions, highlighting the threats from hostile nation-states that may be embedded in off-the-shelf products and household-name services.

“The nature of modern software development makes it hard to know where code was actually written, and by whom.”

If we are to avoid a future in which our entire global supply chain is increasingly untrustworthy, we will need a new approach to trust and verification. For governments, this will mean regulation of cybersecurity standards, some of which is already emerging. For companies, it will not be acceptable to take the word of suppliers that their security is good, and questionnaires allowing them to mark their own homework will no longer constitute due diligence.

Cyber Security Specialist. Chairman of BlueVoyant International. Former GCHQ Director & Founder of UK National Cyber Security Centre. Views are his own.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store