Castles vs. Coalitions: How militaries protect their estates from supply chain cyber attacks
There has been a string of front page supply chain cyber attacks infiltrating what we thought were some of the most secure cyber-estates in the world. A supply chain attack is where hackers attack a target indirectly through a supplier. For example, rather than trying to hack NATO directly (very hard), a group of Russian hackers got into commonly used pieces of IT infrastructure including SolarWinds, Microsoft, and VMWare (less hard) then waited until targets like NATO, the UK Government, and EU Parliament implemented that software in the normal course of IT operations.
This was even more impressively demonstrated in the hack of Kaseya by the Ransomware-as-a-Service (RaaS) provider REvil. This allowed access not only to thousands of Kaseya’s direct customers but also millions of customers of the service providers who used Kaseya. The majority of the victims were hacked through a company they’d not heard of and with whom they had no direct relationship. Scary times.
The net result is that you are vulnerable to hacks not just via your suppliers but also companies you don’t directly do business with “and 100 other companies you’ve never heard of. It’s really scary. And that’s why supply chain attacks are so alarming.” — Joseph Menn, Reuters Cyber Security Reporter.
Hackers Have Problems Too: Competition, Compliance, and Regulation among Ransomware-as-a-Service (RaaS) Providers
With such visible success, you might think it’s happy days for RaaS providers. You’d be wrong. The success of RaaS is actually causing problems on two fronts.
First, competition follows success. “Customers go to competitors who dump the rates. Of course, this is unpleasant, but this is competition. It means that we need to make sure that people return. Give them what others don’t.” — Interview with REvil. RaaS providers like REvil, Darkside, BlackMatter, LockBit, BABUK, and Avaddon are forcing each other to compete for business on price, features & functionality, speeds & feeds, and customer service — just like any legitimate tech company. Who doesn’t recognise REvil’s complaint about competition dropping their prices, buying the business, and forcing sales to find greater differentiation?
Hackers may break the laws of nations, but they remain powerless to break the laws of capitalism.
Second, like any fast growth tech industry RaaS has come under increasingly severe regulatory scrutiny. You might laugh and think career criminals who exist by breaking the law needn’t bother with US regulations. You’d be wrong again. Darkside moved servers to a more “sustainable” location in Iran, partially because they were less likely to get shut down, but also because of Iran’s burgeoning investments in sustainable energy.
Crime and conservation — one can be greedy and green at the same time. However, they had to backtrack when companies were no longer able to pay them ransoms — not because holding data hostage for ransom is illegal, but because paying the ransom might violate US sanctions against Iran!
This highlights a larger concern around compliance any normal business would recognise. We assume legitimate companies try to commit no crime, while criminal enterprises commit as many crimes as possible. Both assumptions are false. Tech companies make a cost-benefit analysis of following the law all the time. New York is a very lucrative market and both Uber and AirBnB launched there before it was strictly legal to do so. Banks employ aggressive rain makers who’s very virtue is their no-holds-barred approach. Their compliance departments then make judgements as to when the legal risk outweighs the reward of a given trade.
The success of ransomware has forced RaaS providers into the exact same cost-benefit calculation! In general the bigger the target the better, except when the target is so big it brings down the full wrath of the Biden administration (as did both the JBS and Colonial Pipeline hacks). In fact, both REvil and Darkside are no longer operational because of the reaction of the FBI and associated bodies. They were, in a way, destroyed by regulators just like Lehman Brothers or Standard Oil. The regulatory bodies simply had different initials.
“Imagine being the chief compliance officer at DarkSide. People constantly come to you with crimes, and you are commercial, you are like “sure go ahead do that crime,” but occasionally you have to stop them and say “no the reputational risk of that crime is too great, we can’t do it,” and the sales reps grumble that you are getting in the way of business. Just like at a bank!”
- Matt Levine, Bloomberg
In fact, RaaS providers now have long lists of targets they will not go after — the defence industry, hospitals, government, etc. — and have ethics and value statements like any other enterprise.
A quick look at BlackMatter’s About Us reveals a set of values you wouldn’t be surprised to see from Starbucks, Pepsi, AirBnb, or the Post Office: “Uniting people”, providing the “best service”, “honesty and transparency”, and “always fulfilling our obligations” .
Castles vs. Coalitions: Why this matters and what to do about it
The interplay of regulation, compliance, and cybercrime is not just amusing, it has a real impact on us. For the majority of us not in areas like critical infrastructure, hospitals, defence, and government we now have a much larger target on our back than we did six months ago. There is a brisk and mature RaaS marketplace looking for its next victims and they have said they are focused on English speaking companies. I suspect from the fact that you read this far (thank you) that you speak English — that puts you in a higher risk category.
We traditionally think of cybersecurity similarly to medieval castles — we build up the best walls and defences around our own estate and treat the outside world with as little trust as possible. This is both important and effective but not sufficient. The best walls in the world do not protect us if hackers can poison the wells we source from the likes of Kaseya, SolarWinds, Microsoft, or RSA.
Craft works with three allied defence departments to solve precisely this problem. The US Department of Defence views cyber-security as a collaborative effort with their supply chain — a coalition like NATO rather than just a castle like Dunnottar. In NATO we agreed to protect even the smallest member states like Iceland with our full force because we realised cold war security was a collective affair.
Similarly, in facing supply chain attacks by definition we have to treat cybersecurity as a collective effort with our suppliers.
But how do we do that? One traditional way to understand supplier risk is through surveys. The problems with this are that the survey results are 1) point-in-time, a suppliers posture might change the next day, quarter, or year; and 2) biased, suppliers tend to tell you what you want to hear.
The US Department of Defence surveyed their supplier base on cybersecurity health. The results were fantastic, there were almost no reported vulnerabilities! So they came to Craft to verify their supply chain cyber risk. Craft built them an objective, external, measurable, and scalable view of their suppliers’ cybersecurity posture. They can monitor their suppliers vulnerabilities daily to see how they change over time. They can make targeted, evidence based interventions based on this data.
Another national defence force is deploying a Craft solution to track their suppliers compromised assets on the deep, dark, and open webs and get an always up to date view of their suppliers cybersecurity accreditations.
As supply chain cyber attacks become more sophisticated and common, relying on your castle will no longer be enough. You need a coalition. And creating that coalition begins with understanding who your suppliers are, where their strengths and weaknesses lie, and working together to create a stronger front line.
If you want to know more, I’d be happy to walk you through some strategies in detail. Don’t rely on your castle when what you need is a coalition.