Supply Chain - The Achilles Heel of Cybersecurity

Do you remember the sudden blue screen of death explosion on July 19, 2024? That was due to a faulty update from one of Windows’ cybersecurity providers, a major and well-reputed company called CrowdStrike. The CrowdStrike debacle was a stark reminder of the inherent fragility of today's intricately networked digital ecosystems. CrowdStrike is only one of Windows' suppliers, and there is no available information enabling their combined risk quantification.

As businesses still grapple with the fallout, it's becoming increasingly clear that, aside from human mistakes, supply chain vulnerabilities represent one of the most substantial cyber-related threats. A single point of failure, whether malicious or resulting from a human error, has the potential to cascade through the entire downstream network shards and disrupt the global economy.

The Scale of the Threat

By July 26,  estimates for the losses associated with CrowdStrike outage reached a staggering $5.4B.
Taking into account that the 8.5 million computers impacted account for less than 1% of computers running Windows, the costs could have been far higher.

Two weeks before CrowdStrike disastrous blunder, Shani Bar Niv, Head of Regulation & Supply Chain Risk Management at Israel's National Cyber Directorate (INCD), painted a sobering picture of the exposure to supply chain risks. "Supply chain cyber-attacks are currently 20% of data link incidents," she said at the Tel Aviv Cyber Week 2024 event. " The cumulated damage of the 245,000 attacks of supply chain recorded in 2023 was estimated at approximately 46 billion. The forecast for 2024 is that this damage costs will rise to $60 billion."

Particularly perilous for the global economy and for the continuous functioning of critical infrastructure worldwide is the concentration of cybersecurity services. A mere 15 companies worldwide account for 62% of the market for cybersecurity products and services.

If a single incident from a cybersecurity company can reach a cost of $5.4 billion, a single cybersecurity company breach with similar ripple effects, could contribute to a stark rise in this forecasted damage costs.

Even worse, a single breach of any Windows supplier infecting a larger percentage of Windows users would catapult those costs to unimaginable heights. Not to mention the potential for catastrophic disruption of critical infrastructures.

The Two Sides of AI-Induced Cyber Risks

Much has been said about the multiple malicious ways cybercriminals can leverage AI to fine-tune and scale their attacks. Sophistication in attacks likely incorporates AI in advanced techniques.

The other, less talked about side, is the increased risks stemming from including AI in the organization system.

AI - The Malicious Actors’ Best New Toy

Like most humans, malicious actors are lazy. That is why phishing attacks used to be spray and pray, poorly written, and ripe with typos, and leading to easily spotted, poorly designed fake landing pages.

With the advent of AI, phishing attacks are no longer easy to detect. Systems are customized to appear legitimate and personalize specific individuals targeting.

A recent case in point is an attack against an unemployment office. The attack craftily started on a Friday by sending an SMS from the unemployment office number. "Due to construction works, access to the unemployment office is not available this week. Unless you have started working, click the link below for this week's reporting." This SMS appeared to emanate from the unemployment office as it appeared in the SMS feed for that number. As soon as the target clicked on the link for the offered online reporting, they received a confirmation SMS. The next day, a Saturday, when the unemployment office is closed, the malicious actor sends a new SMS requiring the target to update their banking account details. By Sunday, the original smishing message had vanished from the target's SMS feed, considerably complicating the addition of the suspicious URL to IoC banks.

This attack combines individually selected targets, context-appropriate content, evaluation of the target's likelihood of the target's naivete, three-step interactions, custom-designed landing page, and evasion techniques.

AI - IT, SOC, and System Architects New Best Friend?

The allure of AI in cybersecurity is undeniable. Like a shiny new toy that's impossible to resist, AI promises to slash response times, redistribute precious resources, and eliminate tedious processes. For IT teams, SOC analysts, and system architects, the prospect of a tireless digital assistant that can accelerate tasks and enhance decision-making is nothing short of revolutionary. The potential to automate threat detection, streamline incident response, and even predict future vulnerabilities makes AI integration seem like a no-brainer.

Yet, integrating AI into organizational cybersecurity strategies is a double-edged sword, particularly in managing the complexities inherent to supply chain risk management. While AI offers unprecedented capabilities in system architecture design and threat detection, we must remain acutely aware of its limitations and potential pitfalls.

The algorithmic nature of AI introduces a new set of challenges. Biases and errors can silently creep into AI-driven decision-making processes, the opaque nature of many AI systems severely limits transparency, hiding entire branches of the decision-making tree. When security teams can't fully understand or explain AI-driven decisions, accountability becomes murky, and identifying the root causes of security breaches becomes exponentially more difficult.

Integration challenges also loom large in the AI landscape. Poorly implemented AI systems can create data silos or visibility gaps across various parts of the supply chain, inadvertently introducing new vulnerabilities. Processes are integrated into a complex ecosystem connecting them." This interconnectedness means that AI-induced blind spots in one area can have cascading effects throughout the entire supply chain.

Rethinking Supply Chain Security

Considering these evolving threats, organizations must reconsider their approach to supply chain security. Dan Pastor, Director of Product Management at Mastercard, emphasizes the need for a change in basic assumptions:

"If in the past we used to focus a lot on vendor or third-party risk management. Now, we're seeing a much more significant move towards supply chain risk management. This requires understanding how processes depend on each other and how that interdependence can affect the entire ecosystem."

This shift requires a more holistic view of security, one that considers the entire supply chain as an extension of an organization's network. It's no longer enough to secure your perimeter, you need to understand and mitigate the risks posed by every link in your supply chain.

Building Resilience

The combination of the unstoppable growth of attacks and increased sophistication with systems and network complexity means that more and more attacks will breach through the attack surface. As Pastor notes, "Not every type of attack will be blocked, and not every type of vendor will meet specific requirements. Organizations need to understand the implications on their operations and ensure that business continuity is maintained."

This means developing and regularly testing robust disaster recovery plans. It also means adopting a risk-based approach to supplier assessment, as highlighted by Dalit Caspi-Schachner, Head of Cybersecurity Strategy at Bank Hapoalim. She describes a collaborative effort to develop a standardized questionnaire for assessing supplier risk in the banking sector:

"We used a risk-based approach. The questionnaire is structured with three levels of risk, allowing Banks to tailor the security requirements based on the supplier services and associated risk profile."

The Role of Regulation and Collaboration

Regulatory frameworks must evolve apace with the rapid changes of the cybersecurity reality on the ground. Micha Weis, Head of the Financial Cyber Unit at Israel's Ministry of Finance, underlines the importance of coordination between regulators and the private sector:

"We need to adapt the supply chain sector. Regulators need access to up-to-date data about cyber ecosystems and risk evolution. It is up to the private sector to support them."

This collaborative approach extends beyond national borders. Sheila Casserly, Director of Digital Policy, North America at Schneider Electric, stresses the importance of international cooperation: "As new cyber and product security and supply chain security regulations appear throughout the world, the most important thing that we can all advocate for is mutual recognition and interoperability of these regulations."

Lessons from the CrowdStrike Wake-Up Call

The recent CrowdStrike outage is a stark reminder of our digital ecosystems' fragility. It elevates supply chain risk management from an IT issue to a critical business imperative demanding top-level attention.

This incident underscores the need for a holistic, resilient approach to supply chain security. To quote Casserly, "We need to pay attention to our supply chains, especially open-source vulnerabilities, and ensure we have robust disaster recovery plans."

Organizations must diversify cybersecurity providers and adopt a comprehensive view of their entire digital supply chain. The CrowdStrike failure shows that even trusted names aren't immune, reinforcing the importance of multi-layered protection and well-tested contingency plans.

Threats are evolving, but so are our capabilities. Moving forward, vigilance, agility, and commitment to ongoing learning will be key. The CrowdStrike incident is a wake-up call—it's up to us to answer it with renewed determination and innovative approaches to supply chain security.