Security Risks to IT Supply Chains under Economic Stress

Introduction

Supplier arrangements for information technology (IT) products and services have been seen to proliferate under both booms and recessions, as private companies, government agencies, and others continually seek to reduce costs by farming out activities that they consider not to be their core competencies. Meanwhile, the potential for compromise from cyber and physical security exploits increases in step with the growth in IT generally, regardless of economic conditions. However, in stressful economic times the risk of attack and likelihood of success for attackers are greater, as will be discussed in this article.

For the past two decades, the increased use and expansion of supply chains, particularly those including offshore operations, have taken place during times of solid economic growth, save for the recession around 2001 when a number of major IT outsourcers failed with little or no notice (Berinato, 2001), and during the financial meltdown in 2007-2008, when questionable activities by outsourcers were uncovered, such as for Satyam (Bhasin, 2012). Prosperous times tend hide nefarious activity. However, when the economic tide recedes, misdeeds and mismanagement are exposed.

The demand for outsourced products and services usually rises during economic downturns in order to reduce costs, and also rises during prosperous times as additional capacity, lower production costs and specific skills are sought. Both of these behaviors have been observed, particularly with respect to the outsourcing of software development to India and electronics manufacturing to China.

During economic contractions, threats posed by insiders, in particular, are thought to increase considerably as employees are fired and remaining employees become disgruntled and feel threatened economically. The insider threat is difficult to measure since insiders operate using authorized access and procedures. Consequently, while one might expect computer crime generally to increase when individuals are suffering economic hardship, measurement of such increases will be called into question since many exploits by insiders are never detected, and many of those that are detected often go unreported.

In more sanguine economic times, we also see increases in cyber attacks against corporations, government agencies and research institutions that are launched for purposes of industrial espionage (stealing intellectual property), financial gain (capturing personal information to enable identity theft and fraud), and conflict (cyber and kinetic warfare). Rapid expansion of organizations, mergers and acquisitions tend to mask nefarious activities because of turbulence generated by such changes.¹

Of particular concern is the lack of ability to recognize and respond to cyber attacks. Typically, compromises can take months to detect, if at all. In the majority of cases, victims are not even aware of the attacks until some collateral activates are noticed by third parties and are brought to the attention of the victim organizations.

While it is difficult to differentiate effects, which are evolutionary and occur more due to advances in technology and increased interconnectivity and complexity, from those effects that arise from economic stress, we shall attempt to draw a line between the two. The purpose is to suggest which additional measures should be taken and which existing measures need to be strengthened as a result of economic rather than purely technical factors.