Kaspersky identifies the absence of a global policy response to supply-chain attacks as a ticking time-bomb that puts international cyber-stability at risk.
Digital transformations make every organisation a software company that relies on a multitude of external vendors, adding to difficult-to-manage third-party threats. Their services contain codes that may have vulnerabilities, which put their interconnected users – industries, societies, countries – at risk. Nevertheless, due to various disagreements between states, the global community has not yet developed a global policy response to value-chain risks.
At the same time, Kaspersky researchers have been tracking several threat groups that focus on highly targeted supply-chain attacks – their findings indicate that threat actors target and exploit vulnerabilities in the updates and build systems for software, so users, who are asked to install patches, might reveal backdoors into their IT systems. One recent high-profile example includes Sunburst, which was used to compromise numerous public and private organisations around the world.
The key to increasing information sharing and improving trust between actors is vital to creating a global policy response to value-chain risks.
Speaking at a Kaspersky panel, Craig Jones, Director of Cybercrime at INTERPOL, said: “When the attack happens, people don’t dial 911 or call the policel; we’re normally a second or third call after their IT security, but we should be among the first to investigate it – together with computer emergency response teams (CERTs), private partners and across borders.” To reinforce the need for a clear, collaborative and effective response process, Jones continued, “It’s in everyone's interest to thoroughly investigate incidents, as well as get and share as much information as possible to ensure IT security of the critical infrastructure.”
“Cybercriminals love ‘divide and conquer’ – if we’re divided, criminals flourish. That’s why this is our biggest challenge – much bigger than a technical challenge is to decide on how we all work better together,” added Serge Droz, Chair of Forum for Incident Response and Security Teams (FIRST).
“First of all, as the global community we need consensus – on how exactly international law applies in cyberspace, how human rights should be protected online, how norms of responsible state behavior should be implemented, and what the role of other stakeholders is. Second, we also need to implement what we agreed on and to hold those who violate agreements accountable for their actions,” noted Jon A. Fanzun, Special Envoy for Cyber Foreign and Security Policy, Swiss Federal Department of Foreign Affairs (FDFA).
In this regard, the Geneva Dialogue on Responsible Behavior in Cyberspace, led by the Swiss Federal Department of Foreign Affairs (FDFA), and implemented by DiploFoundation, is an example of building greater trust and closer community, particularly, within industry to shape a joint vision regarding the digital security and global policy processes for a trusted, secure, and stable cyberspace.