09 Jul 2025
by Richard Beck

Securing digital trade: Lessons from supply chain cyber attacks

In an increasingly interconnected world, the digital supply chain is no longer just a technical concern - it’s a strategic imperative. As geopolitical tensions rise and trade becomes more digitised, the security of our digital infrastructure is now directly tied to national resilience, economic stability, and international trust. Just like our experience of the global pandemic, digital infections can move silently, across borders, and can disrupt global systems and services. 

I’ve seen first-hand how cyber threats targeting supply chains can ripple across industries and borders. As threat actors move with impunity from sector to sector without any geographical boundaries to hold them back, exploiting inherent weaknesses in supply chain outsourcing, an indirect route with deep supplier networks to the knock-on effects on consumer and public services, the risks are real - and growing. 

When one breach becomes everyone’s problem 

Recent high-profile incidents, such as the retail giant M&S, global airline Quantas, and one of the largest banks in Europe UBS, all victims of supply chain attacks, which shows how a single vulnerability can cascade across global systems, and impact millions of citizens with a price tag to match. 

The implications go far beyond IT. When the NHS was hit by a ransomware attack on a third-party provider, it wasn’t just a cybersecurity issue - it became a national health emergency. In today’s world, a compromised supply chain can disrupt everything from healthcare to financial services to international trade. 

Cybersecurity is economic security 

The lines between trade, technology, and security are blurring. Cybersecurity is no longer just about protecting data - it’s about safeguarding the flow of goods, services, and trust across borders. 

Supply chain attacks exploit the very systems that enable global trade - cloud platforms, APIs, identity providers - and turn them into vectors for disruption. Because these systems are often shared across industries and nations, the impact is rarely contained. 

This is why digital trust is now a cornerstone of international trade policy. The global threat landscape demands shared responsibility, interoperable standards and open cooperation to build digital supply chains that are resilient by design. A secure, and resilient digital infrastructure is essential to economic competitiveness and cross-border trade. 

A global challenge requires global cooperation 

Countries around the world are waking up to the systemic risks posed by supply chain cyber-attacks. Yet we have globally fragmented cybersecurity laws, incident response disclosure mandates, and enforcement priorities which fail to enact a genuine coordinated incident response. For example, the EU NIS2 Directive and the US cyber incident reporting for critical infrastructure, alongside the proposed UK cyber resilience bill, all differ in scope and reporting timelines. That’s not helpful or progressive in my opinion. 

This lack of standardisation leads to slower detection, inconsistent mitigation, and poor attribution, the global community must do better, no one enterprise or government secures the global digital supply chain alone. 

To build a more resilient digital ecosystem. But we must go further - embedding cybersecurity into the very fabric of trade agreements, procurement policies, and digital infrastructure planning.   

What can we do? 

The good news? The risks associated with many supply chain attacks can be reduced. A few key practices can dramatically mitigate the risk: 

  • Enforce multi-factor authentication (MFA) across all cloud and SaaS environments. 
  •  Audit and rotate credentials regularly, especially for service accounts and third-party integrations. 
  • Require a Software Bill of Materials (SBOM), avoid blind trust, insist on transparency in your software vendor supply chain. 
  • Limit vendor access and monitor behaviour, ensure you can revoke access and choke off a vulnerability before it spreads into your eco-system. 
  • Educate teams on the principles of Secure by Design and build internal Threat Modeling capabilities to move beyond compliance tick boxing. 

But technical controls alone aren’t enough. We need a mindset shift - one that treats cybersecurity resilience as a core component of trade policy and economic strategy. 

What’s next? A new frontier of supply chain threats 

As technology evolves, so do its threats. Quantum threats are on the horizon, but there is no evidence of post quantum crypto supply chain attacks yet, although this is a real issue. At present we are seeing signs of:  

  • AI-driven fake vendors that gain access through AI generated organisations and fake procurement channels and service desk routes. 
  • Compromised software developer’s tools and pipelines, injecting vulnerabilities into integration tools and platforms and shared libraries. 
  • Poisoned LLM’s and training datasets, creating downstream backdoors for AI applications and models – model supply chain security will dominate through 2026. 
  • Deep supply chain dependencies, where vulnerabilities in fourth, or fifth-tier suppliers can go undetected until it’s too late. 

Staying ahead of these threats will require continuous innovation, international collaboration, and a cohesive commitment to digital resilience, beyond voluntary codes of practice. 

We need a resilient digital trade ecosystem 

Securing digital trade is not just possible - it’s essential. Much of the worlds trade is digital, from communication, payments, logistics and customs. One compromised vendor can paralyse ports, hijack contracts or leak IP. When digital trade grows, so does the attack surface. Secure by Design platforms, trusted vendors, and proven code should be non-negotiable. 

As we navigate tech, trade, and security, one thing is clear to me, trade doesn’t just move in containers, it moves in code, our entire trade flow depends on invisible software and digital supply chains. If the software in your trade pipeline can’t be verified, it can’t be trusted, and if it can’t be trusted we are all exposed! 

For many more insights and resources, head over to QA.com.

techUK International Policy and Trade Programme activities

techUK supports members with their international trade plans and aspirations. We help members to understand market opportunities, tackle market access barriers, and build partnerships in their target market. Visit the programme page here.

 

 

Upcoming events

17 – 18 September 2025

techUK Delegation to the WTO Public Forum 2025

Geneva, Switzerland
23 – 25 September 2025

techUK Delegation to Washington DC 2025

Washington DC, USA

Latest news and insights 

Learn more and get involved

 

International Policy and Trade updates

Sign-up to get the latest updates and opportunities from our International Policy and Trade programme.

 

Here are the five reasons to join the International Policy and Trade Programme

Download

Join techUK groups

techUK members can get involved in our work by joining our groups, and stay up to date with the latest meetings and opportunities in the programme.

Learn more

Become a techUK member

Our members develop strong networks, build meaningful partnerships and grow their businesses as we all work together to create a thriving environment where industry, government and stakeholders come together to realise the positive outcomes tech can deliver.

Learn more

Meet the team 

Sabina Ciofu

Sabina Ciofu

Associate Director – International, techUK

Daniel Clarke

Daniel Clarke

Policy Manager for International Policy and Trade, techUK

Theophile Maiziere

Theophile Maiziere

Policy Manager - EU, techUK

Lewis Walmesley-Browne

Lewis Walmesley-Browne

Head of Market Access and Consumer Tech, techUK

Tess Newton

Team Assistant, Policy and Public Affairs, techUK

 

 

Authors

Richard Beck

Richard Beck

Director of Cyber, QA Ltd