NATO Review: Securing Britain’s and NATO’s digital supply chains

By Chris Luenen, Haydn Brooks

14 October 2024

In his first press conference following the elections, the United Kingdom’s new Prime Minister Sir Keir Starmer stressed the UK’s “unshakable” commitment to NATO and that his government’s “first duty” must be security and defence. As part of this commitment, a significant focus should be placed on securing Britain’s and other NATO Allies’ digital supply chains against stepped up cyber attacks by threat actors determined to breach our critical national infrastructure.

Just one week after his election, Prime Minister Starmer attended his first NATO summit, which took place in Washington D.C. in July. At the summit, he emphasised Britain’s “unwavering commitment” to the Alliance and announced that the UK would conduct a Strategic Defence Review and raise its defence spending to 2.5% of GDP. Also in July, Starmer’s government set out its plan to introduce a new Cyber Security and Resilience Bill, which is widely regarded as a UK equivalent to the new EU Network and Information Systems Directive 2 (NIS2) that will take effect from 18 October 2024.

Starmer’s election as Britain’s new PM and the NATO summit both took place at a time of rapidly rising geopolitical tensions, with Russia and China in particular increasingly moving beyond engaging in economic and regional proxy conflicts with the West, and targeting NATO Allies more directly through cyber attacks. These attacks are no longer limited to cyber espionage campaigns either. They are increasingly aimed more directly at disrupting and harming our economies, or designed as stealth operations to infiltrate, and then lay dormant, in our critical national infrastructure or even national security institutions, waiting to be triggered in the event of escalating tension.

As the US Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned earlier this year in a joint advisory, the People’s Republic of China’s (PRCs) “state-sponsored cyber actors are seeking to pre-position themselves on information technology (IT) networks for disruptive cyberattacks against US critical infrastructure in the event of a major crisis or conflict with the United States.” This was followed by a threat alert from the UK National Cyber Security Centre (NCSC), also highlighting the escalated threat emanating from cyber attacks by state-sponsored threat actors against UK Critical National Infrastructure.

Attacks against our digital supply chains are on the rise

While media attention has focused on state-sponsored disinformation campaigns and the targeting of our democratic institutions, attacks against digital supply chains – comprised of all external suppliers, partners, and service providers to our governments and operators of critical national infrastructure – pose a less visible but very significant threat.

The European Union Agency for Cybersecurity (ENISA) predicts that by 2030 ‘Supply Chain Compromise of Software Dependencies’ will become the leading cyber threat facing organisations, while the Identity Theft Resource Center reported in their 2023 Annual Data Breach Report that the number of organisations impacted by supply chain attacks has increased by more than 2600 percentage points over the past five years alone.

The potential fallouts from supply chain attacks can be enormous, and could threaten entire sectors of the economy, create the next financial crisis, or even undermine national security, as the following examples highlight.

It recently emerged that hackers, suspected of being linked to Chinese state authorities, breached a payroll provider to the UK Ministry of Defence, exposing the names, bank details and addresses of potentially 270,000 current and former members of the UK defence forces. Meanwhile, in June, the Dutch National Cyber Security Centre announced that Chinese-linked hackers had “gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023” and that targets “include dozens of (Western) governments, international organizations and a large number of companies within the defence industry.” And recently, the UK NCSC and its Five Eyes Allies issued another threat alert about a botnet consisting of over 260,000 compromised devices worldwide, believed to be managed by a company in China with links to the Government that was used by the Chinese threat actor Flax Typhoon to interfere with critical infrastructure, “primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors”.

There are two main reasons for the increase in attacks on supply chains. The first is more outsourcing of often critical business functions to third parties in the process of ongoing digitalisation efforts. The second reason is that the cyber security defences of individual organisations, especially those operating in critical national infrastructure and in highly regulated sectors generally, as well as those of national security organisations, are actually fairly strong. Picture © Enterprise Viewpoint

But these are only some of the latest examples. The SolarWinds campaign in 2020, considered by many leading experts as the largest cyber attack perpetrated thus far, is a case in point. SolarWinds is the provider of the Orion IT management and monitoring software, used by thousands of government and private sector clients globally. The very nature of a tool like this is that it has to be deeply integrated into the systems and operational processes of the organisations using it, thus having access to extremely sensitive information, including system log and performance data. The hackers, believed to be linked to Russia’s foreign intelligence service SVR, managed to insert malicious code into an Orion software update. As clients updated their software, they unwittingly installed this malicious code in their IT environments, creating a backdoor through which the attackers could access SolarWind clients’ systems and data directly, in what is known as an onward attack.

The fallout from this supply chain attack was enormous. Around 18,000 SolarWind customers allegedly installed the compromised software update, affecting many, including US federal agencies like Homeland Security, the State Department, and Treasury, as well as tech giants such as Microsoft, Intel, and CISCO.

Why supply chain attacks are increasing

These weak links are often found in organisations’ extensive networks of suppliers and business partners, whose software or hardware are either deeply integrated into their own internal systems and processes, or which handle sensitive data, including employee data, on their behalf externally. They can range from external payroll, legal and pension services to productivity and collaboration tools, cloud providers or cyber security solutions, to name just a few, and which in aggregate make up our digital supply chains. These outsourcing relationships have created a complex set of dependencies and introduced weaknesses that attackers are increasingly exploiting.

However, the chain doesn’t stop with these so-called third-party, or direct, suppliers. They, in turn, depend on a network of often hundreds of other organisations for the provision of their own services, and the list goes on. When the Russian threat actor ClOP exploited the MOVEit Transfer vulnerabilities in 2023, for example, many of the thousands of high-profile victims did not even use MOVEit Transfer themselves. They were impacted (i.e. their or their customers’ data were exfiltrated) through suppliers like the HR and payroll solutions software Zellis or PBI Research Services, a widely used research information resource in the financial industry, which were using MOVEit Transfer to process their clients’ data.

We need a new approach

Given these rising risks, what can NATO Allies and the Alliance as a whole do to harden security against large-scale supply chain attacks?

One of the main problems with supply chain risks is the focus on individual organisations’ cyber security safeguards. To achieve meaningful supply chain security, however, we need a new approach based on enhanced collaboration. The UK government, for example, has already taken the first steps with the Defend As One approach, outlined in its recent Government Cyber Security Strategy. This approach envisions harnessing “the value of sharing cyber security data, expertise and capabilities across its (the UK public sector) organisations to present a defensive force disproportionately more powerful than the sum of its parts.”

This is a step in the right direction that implicitly acknowledges the biggest roadblock to enhanced cyber security, namely the siloed, ‘every man and woman for themselves’ approach. But we need to go further. Organisations are linked, whether they like it or not, and the responsibility for preventing cyber attacks must be shared by the entire ecosystem. No one can do it alone. Regulators also have an important role to play. We must move away from a culture of assurance, threats and fines, to one where organisations supporting our critical national infrastructure, national security agencies, private sector partners and all critical suppliers come together to collaboratively defend against supply chain attacks and strengthen the overall resilience of the entire ecosystem.

This could take the form of virtual national security operations centres (SOCs) for the supply chain, loosely modelled on the UK Cyber Government Security Centre (Cyber GSeC), the Government Cyber Coordination Centre (GCCC) or the UK NCSC-led comprehensive security operations centres (SOCs). Within these SOCs for the supply chain, organisations with large security operations and strong expertise in hunting, detecting and responding to attacks, for example, should rally around their smaller partners and suppliers to protect the whole system, supporting them with their advanced expertise and resources.

In the context of a more NATO-wide collaboration, these national SOCs could then work in conjunction with the new NATO Integrated Cyber Defence Centre (NICC) and its Virtual Cyber Incident Support Capability (VCISC), which are valuable additions to NATO’s overall cyber defence capabilities, and will ensure more ready and equal access across all members of the Alliance to up-to-date threat intelligence and, crucially, operational and technical support during incidents.

The NICC was only recently agreed at the 2024 NATO Summit in Washington, D.C., and will be located at NATO’s strategic military headquarters at SHAPE in Belgium. Its remit will be “the protection of NATO and Allied networks and the use of cyberspace as an operational domain” and to “inform NATO military commanders on possible threats and vulnerabilities in cyberspace, including privately-owned civilian critical infrastructures necessary to support military activities”. The new Centre will thus be focussing on providing relevant threat intelligence to improve military decision-making as well as to “increase our situational awareness in cyberspace and enhance collective resilience and defence”.

The VCISC on the other hand, which was launched at the 2023 NATO Summit in Vilnius, will concentrate on improving NATO Allies’ incident response capabilities by supporting “national mitigation efforts in response to significant malicious cyber activities.” The new Capability will allow Allies to request support and receive cyber assistance in a crisis without invoking Article 5, but also get quick access to technical expertise, assistance and information sharing during incidents.

These new NATO capabilities could significantly increase expertise and resources to the proposed national SOCs for the supply chain, while laying the basis for a potential future integrated and NATO-wide SOC for the supply chain.

Similar to how NATO has achieved a “one for all, all for one” approach to defending the Alliance’s shared security, so must the Alliance and its members’ national security establishments, regulators, organisations and their suppliers come together to address the real and imminent threat posed by the proliferating, yet often opaque, rise of attacks against our digital supply chains.

—

What is published in NATO Review does not constitute the official position or policy of NATO or member governments.

NATO Review seeks to inform and promote debate on security issues. The views expressed by authors are their own.

About the Authors

Chris Luenen, Deputy Director & Head of the Geopolitics Programme, Global Policy Institute (GPI London)
Haydn Brooks, CEO, Risk Ledger

Source – NATO Review

Cookie	Duration	Description
__stripe_mid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid		This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
_abck		This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
_wpfuuid		This cookie is used by the WPForms WordPress plugin. The cookie is used to allows the paid version of the plugin to connect entries by the same user and is used for some additional features like the Form Abandonment addon.
ASP.NET_SessionId		Issued by Microsoft's ASP.NET Application, this cookie stores session data during a user's website visit.
AWSALBCORS		This cookie is managed by Amazon Web Services and is used for load balancing.
bm_sz		This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checbox-analytics		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional		The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary		This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance		This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor		This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
JSESSIONID		Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy		The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_4L7PKQPHHV		This cookie is installed by Google Analytics.
_ga_T50H0MNN9J		This cookie is installed by Google Analytics.
_gat_gtag_UA_12289088_5		Set by Google to distinguish users.
_gcl_au		Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid		Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
_mcid		No description available.
_swa_u		This cookie is set by the provider Sitewit.com. This cookie is used for statistical report and analysis.
ak_bmsc		No description available.
AWSALB		AWSALB is a cookie generated by the Application load balancer in the Amazon Web Services. It works slightly different from AWSELB.
ec_store_chameleon_font		No description available.
FCCDCF		No description available.
issuem_lp		No description available.
lp_us_his		No description
m		No description available.