Securing Australia's supply chain and protecting our nation

Supply chain security has been an issue since the dawn of time.  

These days, however, dynamic changes are resulting in greater environmental complexity, and our national secrets are being regularly targeted on a previously unseen scale.  

According to the Australian Cyber Security Centre, “malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale, sophistication and severity”. Whilst figures are hard to quantity, foreign governments and their intelligence services, and criminal organisations are thought to be behind most of these attacks.  

The reality is that these elements are looking to weaken Australia’s national security.  

Published examples include the case of ASUS, which was hacked to push out ransomware to its customers and closer to home, the theft of Joint Strike Fighter F-35 plans. In 2020, there were also allegations of Australia’s diplomatic mail network being breached, and in 2021, the Accellion data breach which claimed the Reserve Bank of New Zealand and several Australian departments including the Australian Securities and Investments Commission as its victims. Hackers targeting our COVID-19 vaccine supply chain is not unfathomable, with recent media reports highlighting the possibility. Our digital supply chain is also at risk.

Protecting Australia Against A Determined and Persistent Enemy 

Supply chain interference is attractive to foreign entities as it: 

• Can generate intelligence on a nation’s capability development, 
• Can be used to support monitoring, surveillance, and counter-measure development, 
• Can lead to the degradation of capabilities used to support government operations, and 
• Is a better investment than conducting high risk espionage operations. 

According to the US National Counterintelligence Strategy, “the increasing reliance on foreign owned technologies as well as the proliferation of networking technologies – paired with cyber intrusion and insider threats – creates additional vulnerabilities”.  

We know this threat is real and the occurrence of supply chain attacks is growing. Most recently, this was seen in the Solar Winds attacks which caused chaos across thousands of government and non-government customers both overseas and in Australia.

By exploiting these vulnerabilities and employing advanced tradecraft, foreign adversaries can now cripple the IT systems that support decision making in government. This deliberate disruption could hinder our ability to respond quickly in times of crisis, whether during a health pandemic or in conflict areas where our troops are deployed. Unfortunately, many organisations focus on reactive controls rather than adopting a holistic approach in their response. Resilience requires organisations to examine their entire ecosystems and do more than just adopt tactical solutions for the most recent issue. It requires an evolution of the ‘just fix it, now’ attitude, and a step forward in how organisations approach security.

A cyber threat actor simply needs to have a single successful attack to impact many others. And due to the connected nature of our world, the impact of a successful attack can ripple through many others. This is a clear and present danger. Supply chain security must therefore include the integrated web of people, processes, technologies, information and resources that are used to deliver and sustain a product or service throughout its lifetime – from their design, manufacture, distribution, delivery, maintenance through to disposal.

What measures should we take to enhance supply chain security? 

Our Government needs to bolster its cyber defence practices and integrate a higher level of due diligence on the supply chain we use to procure the solutions we buy, as a priority.  

The measures that should be adopted include the following: 

1. Enhance capabilities to detect and respond to supply chain threat. Examples include implementing processes to identify high-risk vendors, solutions and services that pose a risk to our national security. This means undertaking thorough due diligence, scoping risk and ways to address it, and getting better more visibility across the network.
2. Advance supply chain integrity and security across the federal government by addressing deficiencies in current procurement processes and developing a certified vendor ecosystem. This should include a list of trusted vendors and ones to stay away from, all managed by a dedicated central supply chain program office.
3. Committing funding and resources to expand outreach on supply chain threats, risk management, and best practices. This should be performed by engaging industry experts, developing partnerships across government, and sharing information to better understand foreign intelligence threats to our supply chain and ways to counter them.  
4. Greater investment to secure Information and Communications Technology (ICT) from cyber-attacks. Global supply chains today all rely on ICT, connectivity and the internet. Organisations should ensure their ICT infrastructure is modernised and secure, security baselines are established, and proactive cyber defence strategies are in place.

These strategies together with proper validation can ensure a more holistic, layered approach to supply chain security that can be driven across the ecosystem.

Doing something to counter the weakest link

Almost no nation builds its entire capability from scratch, and international commerce is a necessity rather than an option. By being aware of these risks, our Government can take several proactive steps to improve how our supply chain is protected and secured.

After all, having trust and confidence in our capabilities is important and we should be doing everything we can to strengthen our national security rather than weaken it.  

Adam Misiewicz is an experienced cyber security consultant and the General Manager of Cyber Security at Vectiq - a Canberra-based services company.

For other recent and relevant articles on security, check out:

• The new cloud certification model and what it means for you
• The case for a national security cloud, it's no secret
• The Essential Eight, turning crisis into opportunity
• Avoiding the temptation to compromise security for business continuity during COVID-19
• A Titanic Lesson – Changing the Fate of Government Through The Essential 8
• The risk of emotionally intelligent AI, it's more real than you think