APAC Online Policy Forum IV on Strengthening ICT Supply Chain Resilience

Clarissa Leong, Public Affairs Manager, APAC, Kaspersky

Governments and enterprises across the Asia-Pacific region have been shoring up their cyber defenses amid the recent spate of cyberattacks. But our collective cybersecurity is only as strong as that of the weakest link.

Increasingly, cybercriminals are leveraging the interconnectedness of the global ICT supply chain to execute wide-scale, high-impact ICT supply chain cyberattacks, which often target software vendors or IT services companies with the intent to gain backdoor access to the systems of their clients, infecting thousands of systems in one go. When one part gets affected, a domino effect soon follows.

Given the scale of the impact and range of the stakeholders involved, who is responsible for the cybersecurity of our ICT supply chains? What is being done now, and what more can be done? On January 20 2022, Kaspersky convened a panel of decisions makers and experts to discuss the topic at our fourth APAC Online Policy Forum, featuring:

• Eugene Kaspersky | CEO, Kaspersky, as host;
• Shri Rajeev Chandrasekhar | Minister of State in the Ministry of Electronics and Information Technology, and the Ministry of Skill Development and Entrepreneurship, India;
• Dato’ Ts. Dr. Haji Amirudin Abdul Wahab | Chief Executive Officer of CyberSecurity Malaysia;
• Pratama Persadha | Chairman of the Communication & Information System Security Research Center (CISSReC), Indonesia; and
• Genie Sugene Gan | Head of Government Affairs, APAC, Kaspersky, as moderator.

In his opening address, Eugene Kaspersky noted the presence of a new wave of cyberattacks in the last two years that has exploited critical vulnerabilities in the ICT supply chain. As threat actors evolve their techniques, we can expect the frequency of ICT supply chain attacks to grow in 2022 and beyond. Therein lies an urgent need to act.

On that note, panelists dove deep into the “how” of strengthening ICT supply chain resilience, with the three key takeaways summarized below:

A. Strong governance and robust regulations

In view of the results of Kaspersky’s LinkedIn poll, where more than 300 respondents selected governments and multinational corporations as the top two entities (besides small and medium businesses and individuals) responsible for ICT supply chain resilience, Minister Rajeev Chandrasekhar reiterated the integral role that governments play – in light of the significance of the internet and technology to the overall economy, the onus falls on governments to ensure an open, inclusive, safe and trusted cyberspace. This responsibility should not be outsourced to anyone else.

To this end, the Minister outlined India’s approach to raise cybersecurity awareness and expertise at all levels across government and the private sector. India also imposed regulations that requires accountability from platforms on various issues (including cybersecurity), and empowers the government to investigate and prosecute breaches where necessary. He added that central to the strategy was partnership: cross-border collaboration for a coordinated effort against cybercriminals.

This sentiment of government responsibility was also shared by the other panelists – Dato Dr. Amirudin agreed that ICT supply chain resilience is not a one-man show, and Dr. Pratama Persadha added that leadership was important for signaling the importance of the issue.

B. Building cyber awareness

In light of seemingly conflicting results where the majority of respondents considered ICT supply chain resilience to be very important, but the majority did not really worry about our ICT supply chains, Dr. Pratama questioned the extent to which individuals understood the concept of ICT supply chains, let alone the modus operandi and potential impact of cyberattacks on the supply chain.

Additionally, Dato Amirudin highlighted the need for SMEs to also pay attention to cyber resilience. Given the important role of SMEs as the backbone of various sectors, a cyberattack targeting the group could potentially send a ripple effect across the industry. While the finance and telecommunication sectors in Malaysia have been hardest hit, it was important for businesses across sectors to invest in cybersecurity in view of the growing digitalization across the entire economy.

To this end, Dato Amirudin shared Malaysia’s holistic approach to strengthen cybersecurity, by focusing on people, process and technology, for instance through CyberSecurity Malaysia’s SiberKASA program, where the focus on “people” manifests in awareness, education and training across all functions within an organization from management to technical practitioners, through programs including vulnerability assessment, malware scanning, and assessment of risk and compliance.

C. The road to achieving cyber immunity

In considering strategies, Eugene Kaspersky shared his vision of cyber immunity, where systems are designed from the outset to ensure that any vulnerability in one component cannot be exploited to compromise the rest of the system.

At the same time, the panelists agreed on the need for interim measures, even as we work toward the dream of cyber immunity. For example, Eugene recommended that companies design processes/ structures to hold third party vendors/supply chain partners accountable to baseline cybersecurity standards (e.g., certification). Noting that the estimated value of loss from ICT supply chain attacks has amounted to more than USD 400 million, Dr. Pratama opined that the first priority for Indonesia was to establish regulations, as a push for organizations and individuals to take the matter seriously and protect their systems.

The Minister shared that an intermediate milestone for India was to develop a sense of safety and trust in technology/cyberspace across society – there will inevitably be cyber incidents as countries digitalize, but safety and trust are core to supporting digitalization and working together to strengthen cyber defenses and prosecute those who threaten them.

Concluding Remarks

To conclude the Forum discussion, Genie asked each of the speakers to finish a different open-ended question, seeking to capture the essence of their views on the subject matter.

Minister Chandrasekhar: “ICT supply chain cyber resilience is as important a goal for all of us who are working and prospering online as connecting people through the internet.”

Dato Amirudin: “ICT supply chain cyber resilience is not a one-man show – in the currently digital environment, no entity can work alone – so collaboration is key.”

Dr. Pratama: “To strengthen ICT supply chain cyber resilience, we must grow together; we need to cooperate and grow collectively to combat the growing threat actors.”

Eugene Kaspersky: “In the context of today’s topic of discussion, the future of cybersecurity is a great many projects to do, and I’m happy to be a part of that.”

A full recording of the Forum can be viewed here: https://kas.pr/px22

Documents prepared by the speakers can be found here:

Dato Dr. Amirudin: https://box.kaspersky.com/f/cb789106baa545c3b7af/?dl=1

Dr. Pratama Persadha: https://box.kaspersky.com/f/f9b029db5c0440dea354/?dl=1