In a software-defined, interconnected world, supply chain attacks are hard to ward off

February 15th, 2021 | by Alfred Siew
In a software-defined, interconnected world, supply chain attacks are hard to ward off
ILLUSTRATION: Pete Linforth from Pixabay

When a Wi-Fi router maker demonstrated how an end user could remotely control his home’s Internet access a few years ago at a media event, I was a little surprised.

Raising my hand, I asked who would want that kind of technology. Shouldn’t turning off remote access be the first thing you do when setting up your home router, to ward off unauthorised access?

I’d take that advice back now. Much of today’s Wi-Fi networks are software-defined, so they can be easily accessed via an app and controlled or even modified for different roles with simply a tap on your phone screen.

And it’s not just network equipment that has become software-defined, as part of a global move towards buying “standard” equipment that can be bought from many vendors and using a commonly available software stack to run whatever you need, from networking to storage.

Indeed, much of today’s infocomm infrastructure is software-defined or controlled. This includes the mega data centres that require almost no human to physically change a disk and even “open” 5G networks that rely less on proprietary hardware than easily available alternatives.

Therein lies an emerging problem as well. Because everything is interconnected and easily controlled remotely by software, one segment that has become increasingly attractive to hackers is the supply chain.

Since they can’t easily penetrate the hard fortress, hackers now attempt to go for the third-party vendors these victims depend on to run their infrastructure efficiently.

To get to United States government agencies last year, hackers who were likely state-sponsored attacked SolarWinds, the vendor that made the networking monitoring software used by them and hundreds of other organisations around the world.

Because SolarWinds’ software gained so much access and insight into the workings of these organisations’ infrastructure, hackers could gather valuable intel to slowly find their way into their victims’ systems.

There’s another element that makes this type of attack difficult to defend against – trust.

Vendors such as SolarWinds are trusted for their own cybersecurity. They certainly should not be easy to breach, because so many customers rely on them for such a critical service.

Yet, if there’s a lesson that’s always worth repeating, it’s that nobody is safe from any attack.

Even FireEye, the much-respected cybersecurity company relied on by many Western companies, found itself breached late last year by a sophisticated attack utilising techniques that were not seen before.

The company has been open in disclosing how it was compromised – its “red team” tools used to test customers’ machines for vulnerabilities were stolen. What’s also clear is that even a top-notch supplier can be breached.

Just this past week in Singapore, Singtel was also impacted by a supply chain attack, where one of its third-party vendors’ compromise led to customers’ data being leaked.

The File Transfer Appliance (FTA) file-sharing system is a 20-year-old product from cloud-sharing company Accellion but it still contained data that was valuable enough to be stolen.

So, how do you ward off such supply chain attacks, which though less common than other attacks are often more invasive and possibly more damaging?

With so many systems all interconnected today, it’s too late to literally unplug the system and put the genie back in the bottle. That way, you are also DDoS’ing yourself or denying your own users access via a self-inflicted Distributed Denial of Service of sorts.

One example of our interconnected world is a typical webpage today. Look up the code behind it and you can find dozens of sources of data that have been pulled together to display that information on your Web browser.

Something similar is happening with the digital systems we are building to better make sense of data and tell us in real time what is happening in the real world.

Everything is interconnected, and we are trying to let software run the show to automate and control the “plumbing” of the infrastructure so we don’t have to.

Now, what if the artificial intelligence (AI) that is the ultimate “supplier” of the insights humans draw on to make decisions is compromised? Already, decisions made by AI are hard to unravel and explain; what more those made by a compromised AI?

This may seem farfetched but there appears to be an increasingly worrying trend that many experts are cautioning about (read an IEEE paper here on hacking AI).

For businesses, unfortunately, going digital is the only way forward. They have little choice except to keep reducing risk by bolstering defences as best as possible and to be prepared for a potential fallout by drawing up contingency plans, say, for a data breach.

This is the new reality: You not only have to worry about locking the gates at night – you have to hope that the lock maker you trust hasn’t been compromised, either.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.