Castles vs. Coalitions: How militaries protect their estates from supply chain cyber attacks
Over the past few years, we’ve seen a string of front-page supply chain cyber attacks. A supply chain attacks targets victims indirectly through a supplier. For example, rather than trying to hack NATO directly (very hard), a group of Russian hackers got into commonly used pieces of IT infrastructure including SolarWinds, Microsoft, and VMWare (less hard) then waited until targets like NATO, the UK Government, and EU Parliament implemented that software in the normal course of IT operations.
This was even more impressively demonstrated in the hack of Kaseya by the Ransomware-as-a-Service (RaaS) provider REvil. This allowed them access not just to thousands of Kaseya’s direct customers, but also millions of customers of the service providers who used Kaseya (a second order supply chain attack).
An attack that partially shut down the gas supply to the entire eastern seaboard in May of 2021.
This means you are not not only vulnerable to hacks just via your suppliers, but also companies you don’t directly do business with “and 100 other companies you’ve never heard of. It’s really scary. And that’s why supply chain attacks are so alarming.” — Joseph Menn, Reuters Cyber Security Reporter.
Hackers Have Problems Too: Competition, Compliance, and Regulation among Ransomware-as-a-Service (RaaS) Providers
With such visible success, you might think it’s happy days for RaaS providers. But, in reality, you’d be wrong. The success of RaaS is actually causing problems on two fronts.
First, competition follows success. “Customers go to competitors who dump the rates. Of course, this is unpleasant, but this is competition. It means that we need to make sure that people return. Give them what others don’t.” — Interview with REvil.
RaaS providers like REvil, Darkside, BlackMatter, LockBit, BABUK, and Avaddon are forcing each other to compete for business on price, features & functionality, speeds & feeds, and customer service — just like any legitimate tech company. Who doesn’t relate to REvil’s complaint about competition dropping their prices, buying the business, and forcing sales to find greater differentiation? Hackers can break the laws of nations, but they are still powerless against the laws of capitalism.
Second, like any fast-growing tech industry, RaaS has come under increasingly severe regulatory scrutiny. You might laugh and think career criminals who exist by breaking the law needn’t bother with US regulations. But you’d be wrong again. Darkside moved servers to a more “sustainable” location in Iran, partially because they were less likely to get shut down, but also because of Iran’s burgeoning investments in sustainable energy. Crime and conservation — one can be greedy and green at the same time. However, they had to backtrack when companies were no longer able to pay them ransoms — not because holding data hostage for ransom is illegal, but because paying the ransom might violate US sanctions against Iran!
This highlights a larger concern around compliance any normal business would recognise. We assume legitimate companies try to commit no crime, while criminal enterprises commit as many crimes as possible. Both assumptions are false. Tech companies make a cost-benefit analysis of following the law all the time. New York is a very lucrative market, and both Uber and AirBnB launched there before it was strictly legal to do so. Banks employ aggressive rain makers whose very virtue is their no-holds-barred approach. Their compliance departments then make judgements as to when the legal risk outweighs the reward of a given trade.
The success of ransomware has forced RaaS providers into the exact same cost-benefit calculation! In general, the bigger the target the better, except when the target is so big it brings down the full wrath of the Biden administration (as did both the JBS and Colonial Pipeline hacks). In fact, both REvil and Darkside are no longer operational because of the reaction of the FBI and associated bodies. They were, in a way, destroyed by regulators just like Lehman Brothers or Standard Oil. The regulatory bodies simply had different initials.
“Imagine being the chief compliance officer at DarkSide. People constantly come to you with crimes, and you are commercial, you are like “sure go ahead do that crime,” but occasionally you have to stop them and say “no the reputational risk of that crime is too great, we can’t do it,” and the sales reps grumble that you are getting in the way of business. Just like at a bank!” - Matt Levine, Bloomberg
In fact, RaaS providers now have long lists of targets they will not go after — the defence industry, hospitals, government, etc. — and have ethics and value statements like any other enterprise.
Rules, ethics, and values from BlackMatter in response to the regulatory pitfalls REvil and Darkside fell into.
A quick look at BlackMatter’s rules, ethics, and values reveals a set of values you wouldn’t ve surprised to see on the “About Us” page on Starbucks, Pepsi, AirBnb, or the Post Office: “Uniting people”, providing the “best service”, “honesty and transparency”, and “always fulfilling our obligations” .
Castles vs. Coalitions: Why this matters and what to do about it
The interplay of regulation, compliance, and cybercrime is not just entertaining, but has a real impact on us. For the majority of us not in areas like critical infrastructure, hospitals, defence, and government, we now have a much larger target on our back than we did six months ago. There is a brisk and mature RaaS marketplace looking for its next victims and they have said they are focused on English speaking companies. The fact you’ve made it this far in my post (thank you) attests to your English speaking and reading capabilities — that puts you at higher risk.
We traditionally think of cybersecurity similarly to medieval castles — we build up the best walls and defences around our own estate and treat the outside world with as little trust as possible. This is both important and effective, but insufficient. The best walls in the world do not protect us if hackers can poison the wells we source from the likes of Kaseya, SolarWinds, Microsoft, or RSA.
Dunnottar Castle in Scotland
Craft, the most comprehensive intelligence platform, works with three allied defence departments to solve precisely this problem. The US Department of Defence views cyber-security as a collaborative effort with their supply chain — a coalition like NATO rather than just a castle like Dunnottar. In NATO, we agreed to protect even the smallest member states like Iceland with our full force because we realised cold war security was a collective affair.
Some threats, like the Soviet Union in the Cold War, require a collective response.
Similarly, in facing supply chain attacks, we have to treat cybersecurity as a collective effort with our suppliers.
One traditional way to understand supplier risk is through surveys. The problems with this are that the survey results are 1) retrospective (a supplier’s posture might change the next day, quarter, or year), and 2) bias — suppliers tend to tell you what you want to hear.
The US Department of Defence issues surveys to their supplier base to measure their cybersecurity health. The results were fantastic. There were almost no reported vulnerabilities! So they came to Craft to verify their supply chain cyber risk. Craft built them an objective, external, measurable, and scalable view of their suppliers’ cybersecurity posture. They can monitor their suppliers’ vulnerabilities daily to see how they are changing over time. They can make targeted, evidence based interventions based on this data.
We can see SolarWinds security posture objectively improve since the hack in 2020. In 2020 its security posture hovered around a “D” making it six times more likely to suffer a breach. Today that rating sits at a 93 out of 100 or A rating.
Another national defence force is deploying a Craft solution to track their suppliers’ compromised assets on the deep, dark, and open webs, and get an always up-to-date view of their suppliers cybersecurity accreditations.
As supply chain cyber attacks become more sophisticated and common, relying on your castle will no longer be enough. You need a coalition. And creating that coalition begins with understanding who your suppliers are, where their strengths and weaknesses lie, and working together to create a stronger front line.
Footnote: Craft is the leading supplier intelligence platform that helps supply chain and procurement professionals discover, evaluate, and monitor suppliers to create stronger supply chain resilience by making it easy to find, consume, and act-on supplier data. Craft’s partnerships with SecurityScorecard, D&B, CSRHub, and more delivers holistic, validated supplier data that drives the ability to predict risk, mitigate disruption, and identify opportunity. Learn more at enterprise.craft.co
View more Craft content here