Article Preview
Top1. Introduction
The 2013 cyber-attack against the retail giant Target resulted in the capture of sensitive financial data of as many as 110 million consumers and costed Target 18.5 million USD in settlements (McCoy, 2017). The 2018 British Airways cyberattack compromised credit card details of around 380,000 customers, having triggered an administrative fine of £183 million stemming from the breach of the General Data Protection Regulation (GDPR), a regulation on data protection and privacy in the European Union (Cellan-Jones, 2019). The notorious 2010 Stuxnet attack reportedly ruined almost one-fifth of Iran’s nuclear centrifuges and halted Iran’s nuclear programme for a considerable period of time (Business Insider, 2013). Last but not least, several U.S. government agencies and industrial control systems have recently been compromised by an attack surface detected in SolarWinds Orion products (CIRT, 2020). The common denominator of all four cyber incidents and of several hundreds of those which are not mentioned here is the fact that they targeted and successfully tampered with less-secure components in the supply chain. Bringing externals in the critical business processes and having them assume some or all of the responsibilities associated with the critical business functions comes with information security risks whose impact, if materialized, could be disastrous for business and therefore warrants a meticulous and holistic approach for managing those risks (Bahşi et al., 2018, p. 11; Pinto et al., 2020).
The high degree of standardization and interconnectedness in information processing has fostered the need for commissioning products or services to external service providers (Nextrust, 2020, p.42). Many advantages of contracting with suppliers, such as scalability, affordability, or specialization, have urged businesses to fulfill the tasks with an eye toward commissioning some of them to externals (Nussbaum & Park, 2018, pp. 1-9). Nevertheless, the security risks associated with suppliers pose an adverse impact on an organization’s own assets ranging from its infrastructure and network to critical data processing systems, as evidenced in highly publicized incidents from recent years. Vulnerabilities and security flaws on the side of suppliers are likely to spill over to the commissioning organization and expose the latter’s assets to significant information security risks arising from that connectivity or intimacy (ISACA, 2017, p.32).
This is more so for externals commissioned by States for providing, developing, or maintaining assets destined for critical services or defense purposes. Given the well-established norm (Tallinn Manual 2.0, 2017, Chapter 14) that a cyber-attack against critical infrastructures –such as military facilities or medical life-supporting systems– which results in material and/or human damage has legal implications stemming from the international law on the use of force, the risks associated with the incorporation of externals somehow in those critical components become more evident (Karabacak & Tatar, 2014, p.63). A vulnerability inherited by a State from an external might pave the way for the adversaries to inflict substantial damage to that State and thereby trigger an act of war.
Delving deep into those risks brought about by suppliers, this study aims at offering a methodology in addressing the risks associated with commissioning some or all components of a would-be-developed product to externals. It elucidates the approach with regard to assessing potential suppliers and identifying the risks of having them assume the development, examining plenty of concrete risks facing an organization (Section 3). It also shows how those risks can be mitigated by controlling the security behavior of suppliers through well-tailored contractual provisions to be signed by them (Section 4). Before moving on to risks, threats, and vulnerabilities facing a development process, it gives a brief overview of secure development lifecycle in an effort to point out what might go wrong (Section 2). The study summarizes its findings and conclusions at the end (Section 5).