Is Your Supply Chain Also Your Risk Chain?

Over the last month, we examined the idea of security without borders. A single glance at headlines from the past few months - with news of cyber-attacks involving the AP, Twitter, and 15 of the largest banks in the U.S. - underscores again how organizations are impacted by the world they operate in.

But there's a downside to the intense media focus on cyber-attacks and those presumed responsible: the deluge of stories can send a misleading signal that we have no recourse but wait and respond. Fortunately, that simply isn't true. If we act with commitment, we can decrease the risk to the organizations where we work.

There are at least two fundamental ways to accomplish that.

First, we must recognize where the risks reside. An organization is as vulnerable as its supply chain and its service chain. Indeed, we've seen some of the most widespread damage from cyber-attacks stemming from intrusions in the most unlikely areas.

As Mandiant's Richard Bejtlich explained in detail this month, security professionals can take significant and immediate steps right now to address supply chain weaknesses. Those range from directly questioning partners and vendors about their security practices, to creating visibility mechanisms to identify when links in the supply chain have been compromised, to constructing and implementing a containment strategy.

Equally important, security organizations should ensure they are able to quickly and accurately identify and contain intrusions. To accomplish this, they must create and set new expectations for how to operate in a world where advanced targeted attacks are just part of the daily corporate weather forecast.

The new reality is dawning on many. As the Pentagon wrote in its 2013 Annual Report on China:


"In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military."


Years ago, it would have been earth-shattering news if the Pentagon used that language. But when it came out in early May, no one was really shocked at all.

At Mandiant, we take pride that our work helped bring about the recognition that's reflected in the Pentagon report and last week's US-China summit meeting. We continue to take our responsibilities very seriously. It may not be possible to prevent cyber-attacks, but understanding the risks and remaining vigilant about addressing intrusions can make all the difference in the world.