US Supply Chain Cyberdefense Approach Needs to Assist Small Businesses

The U.S. witnessed an “uptick” in ransomware attacks during the pandemic, particularly small businesses. And if those small businesses were offline even a couple of days, “the impact on their supply chain was so significant” that manufacturers turned to other small businesses to replace those affected, said Kiersten Todt, managing director of the Cyber Readiness Institute Tuesday. 

“When we lose small businesses, we lose key components of our global supply chains,” Todt charged during yesterday’s U.S. Chamber of Commerce Cyber Conference.

As Congress, the Biden administration and federal agencies grapple with modernizing their systems, deciding on cybersecurity standards, setting up incident prevention and response plans, preparing and revamping the cybersecurity workforce, and everything else that needs to be done to get ahead of adversaries and cybercriminals, Todt restated the importance of helping small businesses meet the challenges. 

Todt’s comments came prior to the House Committee on Science, Space and Technology hearing on improving the supply chain’s cybersecurity. Ransomware attacks, like the recent one on the Colonial Pipeline, use malicious software to essentially gain a backdoor into an organization’s system, holding it hostage until a ransom is paid. In light of the proliferation of these attacks, and the more sophisticated hacks like SolarWinds, the hearing focused on the exposed vulnerabilities in the U.S. supply chain – from the design of a product to its manufacturing and distribution. 

“Software supply chain hacks are not new,” pointed out Dr. Trey Herr, director at the Atlantic Council, but are “becoming more visible and more consequential by the day.” In the past decade, he noted during the hearing, more than 140 software supply chain attacks and disclosed vulnerabilities for such attacks have been revealed, with at least 30 “positively attributed to governments around the world.” 

And with software “[spreading] to every corner of the human experience” from smartwatches connecting to the internet, to the operations of medical hardware and car’s brake pedals being controlled by embedded software, it is imperative the U.S. gets a hold on securing the software supply chains.”

“Security flaws” come alongside this software and its “long chain of updates from vendors and developers,” Herr charged. And the hackers take advantage of these flaws, breaking the trust between the software coders and the users.

And 60% of small businesses close their doors one year after being victims of a cyberattack, said Karen Painter Randall, an attorney at Connell Foley LLP, where she chairs the Cybersecurity, Data Privacy and Incident Response Group.

Unfortunately, Todt said, this is because small businesses don’t have the resources to handle the risk management and mitigation strategies for cybersecurity “prevention, resilience and readiness.” Their lack of vendor management awareness was one of the challenges she pointed to.

Small businesses are having to make “split-second decisions” to either pay the ransom to avoid disruption of operations or not pay and be replaced.

Even cyber liability insurance is “very challenging for small businesses,” Todt said, as the plans often do not fully cover a breach. Hackers also “troll” the insurance policies to target the ones with the biggest payouts. Recently, global insurance company AXA announced it would not reimburse its customers for extortion payments for ransomware attacks. 

AXA itself was in the “tower that paid for the [CNA Financial] ransom payment,” Randall said, a late March ransom which was recently revealed to be in the amount of $40 million. 

As these small businesses play key roles in the digital economy as well as the global supply chain, Todt pointed to three key factors of basic “cyber hygiene” they need to set in stone: a strong user authentication process like an obligatory Multi-Factor Authentication across all devices, ongoing software updates known as “patches” and ensuring there are “workable back-ups” that can be accessed immediately. 

These steps would also create “a culture of cyber readiness and accountability” in the business, while simultaneously adding an extra layer of protection. Furthermore, among the five recommendations CRI sent to the administration, Todt highlighted the need for a “repository” of resources for small to midsize businesses. 

Biden’s recent cybersecurity executive order mandates MFA to be adopted by all agencies within 180 days of the May 12 order.