A multipronged approach to protect ICT supply chains from cyberattacks

Genie Sugene Gan, Head of Public Affairs for Asia Pacific, Kaspersky

Cyberattacks on Information and Communications Technology (ICT) supply chains are on the rise. This is dangerous as vulnerabilities can be introduced at any phase of the ICT life-cycle, from design through development, production, distribution, acquisition and deployment to maintenance. Upon successful infiltration, cybercriminals conduct cyber espionage, steal data and intellectual property, or extort money through ransomware attacks.

This can affect governments, enterprises, and the public. An attack on a grocery chain can force the temporary closure of scores of supermarkets, or a virus may be unleashed on millions of PC users through a software update, or an attack on systems providing health care or public utilities may disrupt the provision of these essential services.

What recent attacks have in common is their modus operandi. Hackers target software vendors or information technology (IT) companies to gain backdoor access to the systems of their clients, infecting thousands of systems in one go. When one part gets affected, a domino effect soon follows.

Recognising the risks and impact of supply chain cyberattacks, countries are taking action. Since 2020, national cybersecurity strategies have either been released or updated across Asia-Pacific, including in Singapore, Malaysia, Australia and Japan.

In India, too, there is a focus on a national cybersecurity strategy. The National Security Council Secretariat has just launched its Indian Citizens Assistance for Mobile Privacy and Security project with the aim of creating create an application programming interface to support Indian internet users in mitigating vulnerabilities in their mobile handsets. The government is also engaging with startups and academia to help address cyber challenges. At a recent event, IT minister Ashwini Vaishnaw urged “youngsters, start-ups, academia and industry veterans [to] look at this from a much bigger scale” given the magnitude of digitisation in the past few years.

There have been attempts to intervene at the national, bilateral, regional, and global level. Nationally, some governments have focused on protecting ICT supply chains of Critical Information Infrastructure (CII). For instance, in 2018, the United States (US) department of homeland security established the ICT Supply Chain Risk Management Task Force, a public-private partnership to develop a consensus on risk management strategies to enhance global ICT supply chain security. There have been similar attempts in Australia and Singapore.

In the multilateral realm, United Nations (UN)-anchored bodies (such as the UN Group of Governmental Experts and Open-ended Working Group^[1]) or conferences (such as the UN Internet Governance Forum) provide opportunities to develop a consensus around cyber processes, norms and security.

India, too, is taking the lead in promoting cybersecurity through various initiatives in this year alone. In September, the government led discussions on cyber resilience with 30 countries at the International Cybersecurity Forum, focusing on how countries can best defend against ransomware. Bilaterally, India invited Australia to a joint working group on cybersecurity cooperation in June, and a senior officials’ cyber dialogue in July the same year. In November, India hosted the second India-New Zealand bilateral cyber dialogue where the two countries agreed to work together on cybersecurity and capacity-building. India has also established agreements with Japan, Israel, Bahrain, Britain and the countries of the Association of South East Asian Nations (ASEAN).

While each of these platforms plays an important role in building consensus, it is imperative to have more targeted conversations on global ICT supply chain resilience.
Nationally, governments must continue to drive nationwide efforts to establish a baseline level of cybersecurity across sectors through laws, regulations, guidelines, training requirements and awareness-building.

Given the integrated nature of ICT supply chain resilience, there is a need to develop core principles, technical standards and regulatory frameworks to ensure a consistent level of cybersecurity. Businesses that develop products and maintain systems must lead the way, with transparency across software supply chains to ensure the integrity and trustworthiness of digital infrastructure.

[1] Kaspersky has been actively supporting the UN OEWG and its work aimed at strengthening stability in cyberspace. One of our recent contributions was a submission to the First Substantive Session of the 2021 – 2025 OEWG on developments in the field of ICT in the context of international security and peace which can be read here.