Supply chain security: Responding to emerging cyber threats

Guest blog by James Patrick, Solutions Architect at Zaizi #NatSec2024

As a Principal Solutions Architect at Zaizi, a mission-driven government supplier, I'm keenly aware of the escalating sophistication of tech supply chain attacks. Adversaries targeting open-source repositories and exploiting software vulnerabilities represent a significant national security risk. By digesting recent examples of these threats and scanning the horizon, it’s possible to outline strategies to mitigate them.

MOVEit breach - A case study in supply chain security gaps

The 2023 MOVEit breach is a stark example of the vulnerabilities in tech supply chains. Attackers exploited an SQL injection vulnerability in MOVEit's data transfer services, accessing sensitive payroll data from third-party users. The blast radius was international, significant, and affected a variety of government and public sector entities.

The incident underlines the potential for significant data breaches through software supply chain vulnerabilities. It, naturally, highlights the importance of robust incident response plans and the need for heightened security testing in the software development lifecycle. However, it serves as a lesson to us all that no piece of third-party tech is impervious to targeting. It has become all too easy to be lulled into a false sense of security if the user-facing functionality is stable and reliable.

But the supply chain is not just the applications we use or integrate, it lives deep in the code which makes them run.

The threat from code in the open

Open source harnesses community collaboration to solve complex technical problems. It helps organisations build stable, reliable, and efficient systems — a reason why GDS made it a policy for government organisations to use open-source software back in 2012!

So, the broader open source supply chain, the tools used by those developing the tools, is naturally of high interest for malicious actors.

Attacks on popular open-source repositories like npm and PyPI have grown dramatically over the last four years - there are stats in the wild indicating up to 300% increases. These repos have become prime targets for cybercriminals and hostile states, providing the back door into target ecosystems. Thousands of malicious packages have been added to npm alone, exemplifying the scale of this threat.

Typosquatting, a method by which attackers create look-alike packages mimicking popular software, has been particularly effective. This approach was used in both the Material Tailwind and IconBurst attacks, during which developers were tricked into downloading malicious packages.

Then there are secret leaks – where sensitive information is left in public source code, as seen in breaches at the U.S. Department of Veterans Affairs and Toyota. This risk is particularly relevant to the public sector, where “code in the open” remains the encouraged approach.

The imperative for enhanced security measures

These incidents underscore the need for a paradigm shift in how we utilise and depend on third-party applications and open-source repositories. Increased security scrutiny and proactive measures are essential to protect integrations and source code from being a conduit for further attacks.

But what does supply chain security look like in practice?

The easy approach is to consolidate broad principles into key steps we can each take immediately and maintain indefinitely, ensuring that we are:

Implementing robust incident response plans.
Increasing security testing throughout the software development lifecycle.
Applying multiple layers of security for sensitive data transfers.
Regularly reviewing and updating security certifications of third-party software.
Conducting regular reviews of supply chain cyber security to identify potential vulnerabilities.

But this approach is simply too general, which is where the OSC&R (Operational Security, Continuity, and Resilience) framework can slot into our collective arsenals and complement our efforts, just as ATT&CK has provided some codification around threat modelling.

As a framework, OSC&R represents a comprehensive approach to safeguarding the integrity, reliability, and efficiency of supply chains. Applying it involves a thorough analysis of suppliers, logistics, and critical infrastructure, ensuring that every link in the chain is secure and reliable.

It makes an excellent addition to tried and tested NCSC guidance, and the wealth of practical advice available from the NPSA. It all contributes to public sector suppliers meeting the continuous principles-based assurance demands of GovAssure.

Keeping pace in the supply chain Marathon

Our security strategies need constant review and ongoing iteration if we are to keep pace with the rapidly shifting supply chain risks. And industry is not alone, with supply chain risk mitigation a key outcome in the Government’s own 2022-2030 cyber security strategy.

Given my focus on national security, I advocate for a multifaceted and collaborative approach to securing technology and the supply chains which underpin it. It is the only route to ensuring the safety of the sensitive government data and operations that we care so passionately about designing, building, and maintaining.

National Security Programme

techUK's National Security programme aims to lead debate on new and emerging technologies which present opportunities to strengthen UK national security, but also expose vulnerabilities which threaten it. Through a variety of market engagement and policy activities, it assesses the capability of these technologies against various national security threats, developing thought-leadership on topics such as procurement, innovation, diversity and skills.

Learn more