--Hackers have infiltrated companies' IT networks through their suppliers, such as in the infamous SolarWinds debacle.
--Quantum computing greatly increases the ability to break encryption, making attacks through the supply chain far easier.
--Even though quantum computing is still in its infancy, companies should take four steps now to prepare.
Quantum computing holds so much potential for the world, but inevitably it will also introduce new risks to your business. Chief information security officers (CISOs) may have already started considering what quantum computing means for their own infrastructure, but one area is often overlooked: the supply chain.
Supply chain providers can unwittingly introduce security vulnerabilities into your organization. These vulnerabilities can be exploited by attackers and expose your company to security incidents, ransomware, an unwanted reputational hit or all the above and more. And the ability for quantum computers to break today's encryption algorithms that keep our data safe will only exacerbate the threat.
Sophisticated attackers, who have your company in their sights, may consider using a variety of attacks against your suppliers to compromise them, and ultimately you. Once your supplier is compromised, they become a steppingstone into your organization.
For example, a supply chain attack plan was used and executed to notorious perfection with the SolarWinds cyberattack. For those unfamiliar, in December 2020, it was discovered that the service supply chain of SolarWinds, a U.S.-based IT management software provider, had been compromised. SolarWinds is a key provider of software and services to companies around the globe. The attack resulted in the theft of sensitive data from numerous government agencies, technology companies and other organizations worldwide.
The SolarWinds compromise steps became a blueprint for other attacks:
- Initial Compromise: The attackers initially gained access to SolarWinds' software build environment, where they injected malicious code into a software update for the Orion platform, a widely used IT management tool.
- "Trojanized" Software Update: The malicious code, referred to as the Sunburst malware, was included in the Orion software update and was signed with legitimate SolarWinds digital certificates, making it difficult to detect.
- Distribution of Trojan Software: The compromised software update was then distributed to SolarWinds' customers. When the customers installed the update, Sunburst malware was installed on their systems, allowing the attackers to gain persistent access.
- Lateral Movement: Once inside the SolarWinds customers' compromised organizations, the attackers used various tactics, techniques and procedures (TTPs) to move laterally across their networks and gain access to sensitive data.
Quantum computers process information in a fundamentally different way than classical computers. Quantum computers use qubits, which can represent both 0 and 1 simultaneously, and, as a result, quantum computers' power grows exponentially in relation to the number of qubits linked together. The expectation is that, with this power, quantum computers will multiply the effectiveness of several supply chain attack vectors that are in use today, specifically:
- Brute Force Attacks: Quantum computers can perform certain types of calculations exponentially faster than today's classical computers. This means they can run possible combinations of keys or passwords in a fraction of the time it takes a classical computer, making the effort of "guessing the right combinations of keys or passwords until the correct one is found" much more efficient and effective.
- Password Attacks: Quantum computers can also be used to break password hashes, which are used to protect user passwords in many systems. Password hashes are vulnerable to quantum attacks using Grover's algorithm, which can be used to find the original password from the hash.
While quantum computers have the potential to break many of the currently used encryption algorithms, the technology is still in its infancy, and large-scale quantum computers capable of breaking encryption are not yet available. However, it is important for companies to be aware of the potential risks and to take steps today to protect against them, including adopting post-quantum cryptographic algorithms and taking a strong cybersecurity posture. This effort includes reviewing the software and services you consume within your company - your supply chain.
See also: The Challenge of Quantum Resilience
To that end, CISOs should consider four steps:
- Risk Assessments: Do your third-party vendors and suppliers have a plan to address post-quantum cryptography (PQC)? Perhaps they have a robust and mature security program that includes PQC. Risk assessments should be comprehensive enough to understand security controls and the maturity of those controls. You are going to find companies at different stages on their cybersecurity journey, and understanding that maturity level as it relates to the services being consumed by your organization is one way to evaluate risk for your organization.
- Supply Chain Requirements: Draw a line in the sand to mandate that the security and integrity of the products and services provided meet certain standards. For example, you can require a SOC 2 report from your provider. The SOC 2 report is centered on a service organization's IT controls. It's an attestation report in which certain internal controls have been designed and implemented, and those assertions are audited by a qualified CPA firm. This may not be readily achievable but should drive desired business behavior. The White House has issued executive orders that emulate this approach by directing new security standards with a focus on adoption of emerging technologies, including post-quantum encryption.
- System and Communications Protection: Take the time to understand the what, where, how and by whom regarding a product or service being provided, and then discover the constituents in your organization using them. Knowing these potential threat vectors can better prepare defense and response models to protect the organization as post-quantum technologies advance.
- Incident Response Planning: Create response plans that include procedures for security incidents involving third-party vendors or suppliers. Supplement your current plans by understanding how critical suppliers would notify you about a security incident. Streamline those communications with the right resources in your organization so you can respond quicker and take timely action against an attack.
With some effort and proper planning, you will be able to reduce the quantum risk to your organization and improve your ability to respond to a service supply chain threat. Providing context to the risk in your supply chain, including threats from post-quantum computing, demonstrates a high-level of acumen all CISOs should be delivering.