Supply chain in the digital age: Risks, regulations, and resilience


As threat actors increasingly target supply chains rather than organizations directly, the urgency for effective cyber supply chain risk management has escalated. These attacks compromise trusted components of the technology ecosystem, potentially impacting multiple organizations through a single vulnerability in the supply chain.

Smaller, resource-limited enterprises often find themselves at the downstream end of the cyber supply chain. These organizations may lack the necessary capabilities to robustly defend against cyber attacks. By exploiting vulnerabilities in these smaller vendors and suppliers, attackers can gain access to and disrupt larger organizations, making these smaller entities prime targets.

Despite its critical importance, the complexities of supply chain security often go unnoticed. Consider the deceptively simple process of ordering a product online that arrives at your doorstep within days. This process is supported by a complex network of suppliers, manufacturers, distributors, retailers, and logistics providers—the supply chain. Adding a layer of cybersecurity to this intricate web creates the cyber supply chain.

But why is securing this unseen lifeline so crucial? The impact on businesses, consumers, and the global economy is profound.

Data indicates a significant rise in cyber supply chain attacks, from 702 affected software packages in 2019 to 185,572 by 2022. In the first quarter of 2023 alone, 17,150 software packages were compromised by such attacks. In 2022, around 11 million customers globally were affected by supply chain cyber-attacks. By early 2023, over 60,000 customers reported impacts from such incidents, with prevalent targets including counterfeiting, drive-by compromises, and malware infections. High-profile vulnerabilities such as SolarWinds, Log4J, and vulnerabilities in Ivanti’s VPN solution and Cisco’s networking products highlight the pressing need for robust cyber supply chain risk management.

Vendor, Software, and Hardware Dynamics

Cyber supply chain attacks often target open-source code or widely used commercial APIs because these components are integral to various software applications. Cybercriminals exploit these vulnerabilities to gain unauthorized access, steal sensitive data, or disseminate malware.

Many websites depend on code from third-party vendors to enhance functionality—like social sharing buttons, advertisement frames, payment processing tools, and chatbots. It’s vital for organizations to implement operational strategies across vendors, software, and hardware to continuously monitor and mitigate cyber supply chain risks. Emerging practices such as Software Bill of Materials (SBOMs) and Hardware Bill of Materials (HBOMs) are starting to gain traction, but they represent just the beginning of a substantial effort to control these risks.

Minimizing Risks: Norms and Regulations

Today, protecting sensitive data is not just best practice; it’s a legal requirement. Regulations like the EU’s General Data Protection Regulation (GDPR), the US Health Insurance Portability and Accountability Act (HIPAA), and Singapore’s Personal Data Protection Act (PDPA) provide essential guidelines for safeguarding personal and medical information. Compliance builds trust with customers, patients, and stakeholders.

In Asia, cybersecurity norms set by the United Nations (UN) are promoted through regional initiatives like the Asean Cybersecurity Cooperation Strategy. Countries such as Japan, South Korea, and Singapore adhere to both global standards and local requirements, focusing on public-private partnerships and supporting cybersecurity innovations.

Collaborative efforts in Asia with UN and INTERPOL aim to synchronize regional and global cybersecurity practices. Notably, Asia emphasizes cyber sovereignty, adapting global norms to fit local contexts and making significant investments in cybersecurity infrastructure to address regional threats and challenges.

In Singapore, the government-led Counter Ransomware Task Force actively addresses cyber-attacks stemming from ransomware, establishing guidelines on ransom payments and outlining comprehensive strategies to counter ransomware threats effectively.

Steps Towards Cyber Resilience

Recognizing the complex nature of today’s cybersecurity challenges, governments worldwide are enhancing compliance measures, especially in critical infrastructure sectors. As legislation mandating cybersecurity standards is introduced or considered in various countries, the path forward is becoming clearer.

Key measures include implementing universal cybersecurity standards, encouraging R&D, and fostering public-private partnerships. Education and training initiatives are crucial to develop a skilled cybersecurity workforce. Additionally, establishing an international legal framework to address cybercrimes and promote responsible state behavior in cyberspace could significantly bolster cyber supply chain security.

Meanwhile, the private sector must take proactive steps to understand their digital attack surface, which includes the cyber supply chain, and embed protective solutions within their technology architectures.

Organizations should also conduct regular cybersecurity assessments and engage in threat hunting, security testing, and red team exercises to validate their defensive measures.

Simulation exercises like tabletop exercises and war games are important to evaluate an organization’s incident and crisis management capabilities. Participating in information sharing and intelligence sharing initiatives can also enhance early warning capabilities and proactive defense.

Addressing cyber supply chain threats requires ongoing vigilance and strategic planning to develop effective solutions over time.