Securing Public Sector Supply Chains: Moving Beyond Third-Party Risk Management
The NCSC issued a threat alert in April, warning of escalated threats emanating from cyber attacks by state-sponsored threat actors against UK Critical National Infrastructure. This coincided with a speech by Cabinet Office minister Oliver Dowden at CyberUK in Belfast, in which he stated that the UK was facing a new adversary, “the cyber equivalent of the Wagner group”. These Russian-aligned groups, he explained, initially “focused their attacks on Ukraine and the surrounding region. But recently, they have begun to turn their attention to the UK and its allies”.
But even beyond the rising threat from state-sponsored attacks against the UK, the public sector has long been a prime target of a wide range of threat actors. In fact, 40% of all incidents managed by the National Cyber Security Centre between September 2020 and August 2021 were aimed at the public sector, while a freedom of information request from last year revealed that local authorities faced as much as 10,000 cyber attacks every day.
Many of these take the form of attacks on the weakest possible link in an organisation’s cyber security posture, often its supply chains. Supply chain attacks have become one of the leading cyber threats facing organisations, and can be among the most devastating, as prominent examples such as the SolarWinds (2020), Log4J (2021) or the recent MOVEit Transfer (2023) supply chain attacks attest to.
The UK public sector has already found itself at the sharp end of these attacks, for example last year when the NHS was affected by a breach at one of its suppliers, Advanced, causing serious disruptions to its NHS 111 services.
Supply chain security in the new Government Cyber Security Strategy
The UK Government is very much aware of the scale of the threat, and has taken a determined leadership role in addressing it. This is evident in the new National Cyber Security Strategy 2022 and the subsequent Government Cyber Security Strategy 2022-2030, which is specifically aimed at strengthening the resilience of the public sector.
As part of this strategy, the Government provides public sector organisations with a range of best practice guidance and principles for enhanced supply chain risk management, including through GovAssure, which is underpinned by the NCSC’s Cyber Assessment Framework (CAF), and is a new cyber security assurance scheme for the public sector. This is all good news, and the guidance places the right emphasis on the need for:
- improved understanding of suppliers and their dependencies;
- central mapping of government’s critical and common suppliers, not least in order to identify and manage systemic and aggregate supply chain risks to government;
- greater visibility as the foundation from which an accurate assessment of risk can be derived;
- shared capabilities, tools and services to tackle ‘common’ cyber security issues at scale.
The Strategy’s second pillar, ‘Defend-as-One’, meanwhile, sets out the vision for bolstering the public sectors’ collective cyber defences by harnessing “the value of sharing cyber security data, expertise and capabilities across its organisations to present a defensive force disproportionately more powerful than the sum of its parts.”
Third-Party Risk Management is broken
These Government efforts are vital and clearly set out what needs to be done. The next step, however, is to find ways to achieve the goal of hardening public sector supply chain cyber security. This is where organisations struggle to identify time- and cost-effective solutions that will actually make a difference.
The main problem is that traditional approaches to supply chain security are broken. They simply will not allow public sector organisations to achieve the goals set out in the Government Cyber Security Strategy, and to substantially reduce the risks from supply chain attacks. What is needed is nothing less than an entirely new approach to supply chain cyber security.
But let’s start with where the main problems lie with more traditional supplier risk assessment approaches. These approaches still rely, to a large extent, on highly manual and time-consuming risk assessments that provide at best a point in time insight into the security postures of individual suppliers.
Also, right now, each public sector organisation is performing their own assessment on each individual supplier’s security. Whilst there is a need for nuance based on the individual context, there is a vast amount of duplicated effort across public sector bodies when performing these reviews, especially given the often significant overlaps between their respective supply chains.
The time- and resource-demands of reviewing completed individual supplier assessments alone are great enough. This makes continuous monitoring of suppliers’ security postures, beyond occasional re-assessments, a distant dream. The same is true for efforts to map the entire supply chain ecosystem and achieve greater visibility into risks beyond immediate third party suppliers, in 4th, 5th, and n-th parties.
The Way Forward: A Social Network Approach to Supply Chain Cyber Security
So what can public sector bodies do to overcome these challenges and constraints that more traditional approaches to third party risk management bring with them?
The answer is to, in the spirit of ‘Defend-as-One’, adopt a collective approach to supply chain cyber security that puts a premium on collaboration, between public sector organisations as well as between organisations and their suppliers.
Combining a Third-Party Risk Management platform with a secure social network offers a way forward. Similar to a social network like LinkedIn, each organisation has a profile on the same platform, which contains information about their business, their security controls and other relevant risk areas, including ESG and financial risk. This profile is then shared with their clients and customers. Clients can set requirements against the framework, so they can compare suppliers against criteria which matter most to them.
With clients and suppliers on the same platform, often in both capacities, meaning they can simultaneously show their security posture to their clients and monitor the security posture of their own suppliers, this uncovers the middle links in supply chains; it builds a map of relationships and interdependencies within the full ecosystem, including among 4th, 5th and nth parties, not just between one client and their third-parties. This offers a uniquely customised view of the entire network of connected organisations for different use cases, with analysis on the resilience of the ecosystem, detecting and measuring concentration and systemic risk.
This new approach lays the groundwork for a future of “Defend-as-One”, where network effects can be leveraged into a collective defence approach. When everyone is connected, an attack on one organisation is tantamount to an attack on every organisation, which means that looking out for each other can only be beneficial. And conversely, failing to collaborate can only be detrimental for everyone involved. When it comes to cyber security, organisations can only win when they play as a team.
If you are interested in finding out about how large public sector organisations such as NHS Test & Trace (now the UK Health Security Agency), another large public sector body and a large number of UK water companies are already applying Risk Ledger’s new social network approach to supply chain security, get in touch with us. We look forward to hearing from you.
This article was originally published by techUK.