Cyberwarfare & the Battle to Protect Supply Chain Data

It would not surprise me if high-tech supply chain executives tasked with protecting valuable supply chain data said they are on pins and needles as they evaluate news reports that technology companies, including Apple Inc., have suffered cyberattacks.

In a rare disclosure explaining the widest known attack of its computers, Apple officials said Tuesday that hackers infected Macintosh machines belonging to some employees when they visited a software development website. Reuters reported that the malware, which manipulates a flaw in a version of Oracle's Java software used as a plug-in web browser, was designed specifically to attack Macs.

Facebook revealed a similar attack last week, and Twitter announced in early February that it had reset the passwords of 250,000 users whose information was compromised after hackers attacked it. At the end of January, The New York Times revealed that Chinese hackers had spent four months trying to infiltrate its computer systems to steal the passwords of reporters and other employees.

Cyberattacks are targeting corporate data more frequently. This doesn't bode well for an electronics industry battling to secure sensitive information.

Cyberattacks are targeting corporate data more frequently. This doesn't bode well for an electronics industry battling to secure sensitive information.

Stepped-up attacks
These attacks and others show that hackers are attacking corporate data more frequently. This doesn't bode well for an electronics industry battling to secure product designs, intellectual property, supplier agreements, and data associated with manufacturing and business processes across the supply chain.

Keeping sensitive supply chain data safe is even more challenging in the face of the ongoing cyberwar allegedly being conducted by the People's Liberation Army (PLA), a group supported by the Communist Party of China. According to a report published last week by the American computer security firm Mandiant Corp., the PLA conducts cyberwarfare from its base on the outskirts of Shanghai. The APT1 group has systematically stolen hundreds of terabytes from at least 141 organizations, including high-tech companies.

Remarkably, we have witnessed APT1 target dozens of organizations simultaneously. Once the group establishes access to a victim's network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, emails and contact lists from victim organizations' leadership. We believe that the extensive activity we have directly observed represents only a small fraction of the cyber espionage that APT1 has committed.

This is a chilling revelation, as well as a reminder that the high-tech industry must be on guard. Such threats can interrupt business planning, stall growth, and lower revenue.

Getting worse
Undoubtedly, supply chain executives face a daunting task, which becomes more difficult when we consider the increasing number of component suppliers, the quest to add manufacturing locations, and the demands of managing transportation, logistics, and other segments of the supply chain.

In mid-2012, Deloitte Consulting surveyed 600 executives about the supply chain. Forty-eight percent of respondents said “the frequency of risk events that had negative outcomes” had increased over the past years. “Executives from high-tech companies were most likely to report an increase, with roughly two thirds saying that was the case.”

Things may very well get worse before they get better. Executives in the high-tech, industrial product, and diversified manufacturing industries (which all have complex supply chains) were most likely to report an increase in costs associated with supply chain risk, Deloitte found. It seems inevitable that companies in the electronics industry will see more cyberattacks. I agree with the Deloitte report's conclusion that companies need to think beyond simply preventing attacks and craft a plan to reduce their impact.

Deloitte outlined four key critical attributes of supply chain resilience.

  • Visibility : The ability to monitor supply chain events and patterns as they happen, which lets companies proactively — and even preemptively — address problems. Critical enablers include people capabilities and analytics capabilities.
  • Flexibility : Being able to adapt to problems quickly, without significantly increasing operational costs, and make rapid adjustments that limit the impact of disruptions. Critical enablers include people capabilities and governance processes.
  • Collaboration : Having trust-based relationships that allow companies to work closely with supply chain partners to identify risk and avoid disruptions. Critical enablers include people capabilities and analytics capabilities.
  • Control : Having policies, monitoring capabilities, and control mechanisms that help ensure that procedures and processes are actually followed. Critical enablers include governance processes and analytics capabilities.
  • What are you doing to protect your supply chain from breaches? What is your plan for dealing with the challenges after a cyberattack? And how are you collaborating with your supply chain partners to formulate a comprehensive data protection plan?

    Related posts:

    13 comments on “Cyberwarfare & the Battle to Protect Supply Chain Data

    1. _hm
      February 26, 2013

      Why only protect supply chain data? All data – design, customer, finanacial are important to organization. Supply chain can be one of them. To prevent further attack, one better way is to attack enemy and destoy their capability to do it again.


    2. The Source
      February 26, 2013


      I agree that all data at electronics companies should be secure, but EBN specifically covers the supply chain, and so my blog posts for EBN are concerned with writing about all things that affect the supply chain. 

    3. hash.era
      February 26, 2013

      The Source: I think all the little parts are integrated to the main system so if one part gets infected the whole system will get it eventhough it will not get crahsed 100%. That is why we need to assess all the areas of any system especially in a SCM which carries the whole operation of a company with a few clicks.

    4. Brian Fuller
      February 26, 2013

      Key question is how do we as countries find balance between cyber-security and civil liberties/human rights. 

      It's clearly a tension that is increasing. Thoughts?

    5. The Source
      February 26, 2013


      There's no doubt about it, a successful malware attack can have a devastating effect on a company's data systems.  You've noted that what is needed is a risk assessment across the data network, and I would contend high-tech companies must include their partners, third party suppliers and other business associates across the supply chain in any risk assessment program.  


    6. mfbertozzi
      February 27, 2013

      @_hm: I agree; speaking for myself, I think that electronic data means automatically security issues to address, it doesn't matter the process or the specific area of business chain we are telling about. Cloud could be a way for moving forward, but it brings are issues and concern on security, than there's still a long path to run.

    7. The Source
      February 27, 2013


      One of the difficulties here is that many companies don't want to admit that they've been attacked by cybercriminals, even though that might be changing.  Here's a New York Times article about that subject:

    8. The Source
      February 27, 2013


      With regard to cloud computing, survey after survey shows that company executives are concerned about security and privacy issues, and many companies have decided to manage their sensitive information on their own data systems while using the cloud for non-essential data. Still, there are many high-tech companies that use the cloud to manage supply chain data.         

    9. hash.era
      February 27, 2013

      The Source: Even if you do a proper risk assesment, its difficult to prevent the damage that might cause from un-expected scenarios. Anyway its always better to have the best ready so no one can blame on the damage.

    10. The Source
      February 27, 2013


      The issue of blame is a very serious one.  Companies that have sensitive data stolen from their computer systems stand to lose millions of dollars,  I wouldn't want to be the person that is partially responsible for such an incident.    


    11. hash.era
      February 28, 2013

      @ The Source: Yes indeed. Any data set has a price tag on it and it differs fromrequirement to requirement. So loosing data means a very serious issue since its priceless.

    12. mfbertozzi
      March 4, 2013

      @The source: I see the point and I am sorry because in my mind, it should be the time for planning a jointly effort in order to be stronger in front of new possible threats.

    13. mfbertozzi
      March 4, 2013

      @The Source: it is true, for now it seems concerns regarding privacy and similar matters, are responsible for the slowly adoption of the cloud services, but sooner or later any companies will migrate towards that paradigm due to the need of ensure an urgent capex reduction.

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.