WHAT IS SUPPLY CHAIN SECURITY?In the most conventional sense, when we think of Supply Chain Security, we immediately equate it to Target and the HVAC vendor that was used to pivot into Target's network and perform the attack on the Point of Sale (POS) systems that exfiltrated 40 million card numbers and 70 million shopper records (Krebs, 2014). This is not entirely correct in scope. It does deal with business that we do business with, but it often times considers the threat to be to the bigger business with the smaller business being the threat. This is not always incorrect. I would (without statistic evidence) surmise that the smaller businesses threatening the bigger ones is typically correct. Supply Chain Security from a broad sense is the aspect of information security that deals with threats posed to organizations through the supply chain: vendors, suppliers, and partners/providers. For the purpose of this post, I am examining the threat that bigger businesses pose to smaller businesses and the threat that companies of the same size pose to each other through supply chain security.
SUPPLY CHAIN SECURITY AS IT RELATES TO THE DYN DDOSMany businesses went down or experienced service interruptions when Dyn's DNS infrastructure was interrupted by the DDoS. This cost Dyn's customers money via lost business, possible loss of uptime (loss of availability), troubleshooting, and/or activating their BCP/DRP (Business Continuity and Disaster Recovery Plans). Some of these businesses' partners didn't even use Dyn, and some of the partners' partners did not use Dyn. This is problematic for all parties. The issue is that the affected businesses had a near exponential impact on downstream businesses and services. Only the first degree from the affected were able to levy any financial effects to those affected (if at all; depending on the contracts and Service Level Agreements or SLAs).
MY ANALYSISShould these businesses be responsible for downstream interruption to customers of their customers and beyond? In short, I believe the answer is yes. While the larger businesses, like Amazon, have little oversight of the downstream consumption of their products and services, they should understand that smaller businesses rely on their customers to several degrees. I am not saying that Amazon should reimburse every smaller customer. What I am saying is that if the shoe were on the other foot, the outcome would be distinctly different. I think that there should be some means of the larger organization helping smaller companies to the xth degree. This seems to be the only responsible thing to do. I think the Dyn DDoS was a wake-up call for many. It has already changed the threat scape and architecture of many organizations affected such as Amazon and Twitter. I discussed this very issue in my Security of Porn blog post. Since the DDoS attack, major sites have diversified their DNS providers across multiple vendors. They have also covered vast geographic areas with regards to servers, which seems to be a step in the right direction. It is unfortunate that it required a near terabyte DDoS attack to make it happen.
CONCLUSIONIn conclusion, I hope to see better implementation of supply chain security. It is the responsibility of all organizations to be good stewards of information security and "cyber citizens" per se. I hope this opens the eyes to all organizations in terms of how they can improve business. This could also be a means to better provide for their customers. As time goes on and the threat environment evolves, the information security landscape must be agile enough to evolve with it. As businesses do more business in the cloud, special attention must be paid to the providers, the contracts, and the service-level agreements that businesses enter when dealing with cloud providers.