How to strengthen ICT supply chains against cyberattacks

The last two years have seen huge digitisation take place in Asia-Pacific, including India, brought on by the challenges from the COVID-19 pandemic. Companies had to rapidly deploy technology measures to facilitate work-from-home arrangements, sometimes at the expense of cybersecurity. As a result, information and communications technology (ICT) supply chain  cyberattacks rose, while Kaspersky expects a continued upward trend in 2022 in view of the  potential value of such attacks if malicious actors manage to gain access to a large number of  targets.

India’s National Security Agency saw a 500 per cent increase in cyberattacks since the  pandemic began, with the agency detecting four million incidents of malware per day. Attacks  were mostly targeted at the telecom, financial, transportation and energy sectors. In 2021, India suspected two major cyberattacks that caused a widespread power outage in Mumbai and halted trading at the National Stock Exchange for three hours. The increase in attacks could be attributed to India’s large digital attack surface, with 1.15 billion phones and upwards of 700 million Internet users in the country. Upon successful infiltration, cybercriminals enjoy free rein to conduct cyber espionage, steal data and intellectual property, or extort money through ransomware attacks, which have been on the rise.

While the impact on governments and enterprises may feature more prominently, the wider public is not spared. An attack on a grocery chain could force the temporary closure of scores of supermarkets, or a virus may be unleashed on millions of PC users through a software update. Taking it further, the compromise of systems providing healthcare or public utilities  may disrupt the provision of these essential services. The impact of these breaches is also set to grow, given the increasing interconnection of IT systems across organisations, sectors, and countries.

Current Responses 

Recognising the risks and impact of ICT supply chain cyberattacks, governments are taking  action. The Minister of State for Electronics and Information Technology, Shri Rajeev  Chandrasekhar, while speaking at Kaspersky’s Asia-Pacific Online Policy Forum in January 2022, outlined the Government of India’s vision to build a safe and secure cyberspace for all.  He reiterated that the responsibility of securing the ICT supply chain lies with the government, and a core part of that strategy is cross-border collaboration with all stakeholders.  

India has been actively promoting cybersecurity collaborations with global partners. The government led multilateral discussions on cyber resilience with 30 countries at the International Cybersecurity Forum. While, bilaterally, India has established agreements with Australia, Bahrain, Israel, Japan, the UK, and ASEAN countries on cybersecurity cooperation. 

While each of these platforms plays an important role in building consensus, exchanging  knowledge and best practices, and harmonising standards, it is imperative to have more  targeted conversations on global ICT supply chain resilience moving forward, given the wide ranging types of actors and global impact involved.  

On the domestic front, India is working on developing a national cybersecurity strategy. In  parallel, the government has taken steps to engage its digital citizens – the National Security  Council Secretariat released its Indian Citizens Assistance for Mobile Privacy and Security CAMPS) project in November 2021 with the aim of creating an Application Programming Interface to support Indian internet users mitigate vulnerabilities in their mobile handsets. In order to strengthen the telecoms sector, the government took out a National Security Directive on trusted sources and products, which could be used for the delivery of telecom services in the country. These steps are all commendable in creating a secure and safe cyberspace.  

Recommendations 

As the cybersecurity landscape evolves rapidly, governments must continue to drive nationwide efforts to establish a baseline level of cybersecurity across sectors through laws, regulations, guidelines, training requirements and awareness building.  

Given the integrated nature of ICT supply chain resilience, there is a particular need to develop core principles (e.g., security-by-design), technical standards and legislative/regulatory frameworks to ensure a consistent level of cybersecurity and accountability across stakeholders. Self-assessment tools and guidelines can also be published by the government to help businesses implement policies on the ground. For example, in 2018, the U.S. Department of Homeland Security established the ICT Supply Chain Risk Management Task Force, a public-private partnership to develop consensus on risk management strategies for the global ICT supply chain. The Task Force has since released guidelines on the sharing of supply chain risk information, and risk considerations for managed service provider customers. 

Raising awareness and education across all sectors involved in the ICT supply chain is  also imperative. This includes providing training and resources to small and medium enterprises that lack the budget and technical know-how to improve their cybersecurity  defences. Start-ups and small and medium enterprises (SMEs) remain a vulnerable segment  when it comes to cyberattacks, and the community can do more to support them in light of the  wide-reaching impact of ICT supply chain attacks. For instance, the Malaysian government in  June 2021 developed a cybersecurity program for SMEs known as Matrix. Based on a three pronged strategy, it firstly provides 24-hour cybersecurity surveillance to discover and flag  attacks to business operations. Second, it provides critical asset protection, deploying  measures against attacks on servers. And third, it continuously assesses vulnerabilities and  gaps as cyberthreats evolve. 

Conclusion 

Cybersecurity is everyone’s business because our collective cybersecurity is only as strong  as that of the weakest link among us. To remain ahead of the game, a holistic approach  involving all stakeholders is required. We must look beyond playing catch-up and reacting to cyberthreats as they arise. 

It is imperative to take a long-term approach in designing the cybersecurity ecosystem, which  includes building a strong talent pipeline to meet the needs of CERTs, forensic analysis teams  and IT departments, and designing critical information infrastructure that is secure-by-design. In the short term, governments can undertake the steps discussed above to improve procedures and regulations for ICT supply chain resilience.

Views are personal. The author is Head of Government Affairs, Asia-Pacific Kaspersky