Supply chains have a problem: Cybercriminals have committed major attacks on them this year that have amplified the threat of ransomware and malicious activity. Specifically, these cybercrime groups are organizing supply chain attacks, or attacks on vendors.
Notable recent examples include JBS Meatpacking and SolarWinds. The Center for Strategic and International Studies keeps a a running list of significant attacks across the world. More recently, the White House held a summit to address the rise in cyberattacks.
“Marketplace” host Kai Ryssdal spoke to Shital Thekdi, an associate professor of analytics and operations at the University of Richmond, to ask why these groups target supply chains, how they are able to accomplish these attacks and why we, as a society, should take future threats very seriously. The following is an edited transcript of their conversation:
Kai Ryssdal: I think we need to start with a definition of terms. When we say “supply chain attacks,” it’s not things in trucks getting delivered, right? That’s not what we’re talking about.
Shital Thekdi: Right. We’re not necessarily talking about items that are moving across the country. But we’re talking generally about the cybersecurity and the information systems that fuel the supply chains.
Ryssdal: Give me an example, because there have been so many of them lately.
Thekdi: Yeah. So, what supply chain attack can basically turn the information technology — for example, the computers and the software — they can be disrupted. And when the computer, the software, when they don’t work, then we can’t move items from coast to coast on those trucks.
Ryssdal: SolarWinds, right, that was a supply chain attack?
Thekdi: Yes, it was, and in particular, because it affected the ability for not only goods and services to move, but also for transactions to happen, so for the sale of services.
Ryssdal: Right. Now, why are they becoming, or have they long been a preferred method of entry of a vector, if you will, for these cybercriminals?
Thekdi: Well, it’s becoming more and more prevalent today because systems are becoming increasingly interdependent on one another. So what that means is a disruption on one system or one piece of software can have disruptions across all interconnected software, ones that basically share data or communicate with one another.
Ryssdal: Am I right in remembering that, at least in the recent ones, they can go undetected for quite a while?
Thekdi: Yes, absolutely. What attackers do is they tend to burrow into the system, gain information and choose to attack or choose to become visible when they are ready, often on their terms, often in cases when they are ready to, for example, ask for ransom.
Ryssdal: So if I’m running a company and I’m the head of it, what do I do?
Thekdi: Well, there is a lot IT can do and a lot it cannot do. So for example, when there are potential entryways into a cyber system, those are called vulnerabilities. And vulnerabilities often become known. And when they are known, they can be patched. So a company can patch the vulnerability and ensure at least to some extent that they have sealed the entryway into their system. But the company may not be aware of the vulnerability. And that is one of the most dangerous situations that is really coming into play more recently.
Ryssdal: OK, so not to personalize this at all, but I’m smack in the middle of what seems like interminable IT security training here at Marketplace. Is this an individual-level thing?
Thekdi: It absolutely can be. So, you as a user of email may often get phishing emails, in which maybe you get an email with a suspicious link in it. And in an organization and a company, those types of emails may go out to hundreds, thousands of employees, and it may take just a single employee clicking a bad link to create an entryway for attackers to get into the information systems.
Ryssdal: What about you? You’re a professional. Do you have to do this stuff, too?
Thekdi: Absolutely. Absolutely. My university just started a system in which external emails get a yellow band across the email telling me that it came from an external party.
Ryssdal: Oh, yes. We just got that here as well. I guess it’s everybody.