RSAC | By Bob Ackerman | February 11, 2025

It’s a new year–one already resonating with some vexatious developments in America–and, as so often is the case, this includes the state of affairs in the cybersecurity landscape.

Two developments are front and center–one troublesome and the other outright alarming. The first–courtesy of the Identity Theft Resource Center, an organization established to support victims of identity crime–has just reported that explosive cybercrime persists. According to its 2024 annual data breach report, there were 3,158 US data compromises last year–only one percent less in comparison to 3,202 breaches in 2023–the biggest number of annual breaches ever.

The other development–yet a bigger issue–is the lack of progress so far in a growing effort to better secure America’s ubiquitous software supply chains. According to available data, the number of reported software supply chain attacks in the US in 2024 were significantly higher than in 2023–296,688 impacted individuals and organizations, compared to 138,624 in 2023. The majority suffered the ramifications of ransomware.

Money tells the tale as well. According to Fortune Business Insights, the global supply chain management market is believed to have grown to more than $26 billion in 2024, up from less than $24 billion in 2023, and is expected to grow to more than $63 billion in 2032.

An explosion of cyberattacks overall is bad enough. Supply chain attacks are even worse because they are growing even faster and likely host the most effective cybercriminals, partly because they seem to be leaders in technological state-of-the-art. With no end in sight, they have been surging in both frequency and sophistication.

Threat actors gravitate to supply chains largely because they can roll up successful attacks more quickly than average. By breaching one supplier, attackers gain valuable insights into the structure and vulnerabilities of the broader supply chain. This enables cybercriminals to more readily target other companies, particularly those within the same supply chain or others alike and that may have similar vulnerabilities or weaknesses.

Software consumers must understand that all software has vulnerabilities and can be exploited by a threat hacker. Unlike IT systems and physical electronics–rarely modified once they leave the production line–software is continuously revised, updated, and patched. This makes the supply chain for software chronically vulnerable.

There are several ways to attack a software supply chain. A hacker could directly insert malicious code into the soft code of a software or by taking over a developer’s account without others noticing, they could do this by compromising a so-called signing key–a cryptographic key used to digitally sign software. By bypassing this security measure, the user’s computer can be tricked into believing the malware is a trusted source, enabling the malware to skip security checks and install itself on the victim’s computer.

Yet another issue is that developers often use open source software components and related “ingredients” to create their programs and applications with free access to libraries, frameworks, and various processes. The drawback is that the use of open source software, as its name implies, is widely available and thus poised for trouble.

It’s not that the private sector and government aren’t working to strengthen software supply chains. Companies are increasingly implementing stronger cybersecurity measures, such as multi-factor authentication, encryption, and regular security audits. A growing number are also increasingly assessing and managing the cybersecurity risks of their third-party suppliers. In addition, more are building the ranks of their third-party suppliers, believing this allows more flexibility to adapt to unforeseen circumstances and may lead to improved security.

On the government front, meanwhile, The Cybersecurity and Infrastructure Security Agency (CISA) has been increasing its efforts to collect and analyze threat intelligence and to share information with the private sector on emerging threats and vulnerabilities. CISA also provides technical assistance and support to organizations that have experienced cyber incidents, including those impacting supply chains. The FBI, meanwhile, has been strengthening its investigations of cybercrimes, also including supply chains, and also shares its intelligence with CISA and other government agencies.

Despite all this, troublesome issues remain. Global supply chains, in the US and elsewhere, have become increasingly complex and interconnected, creating more opportunities for attackers to exploit vulnerabilities. There is also increasing reliance on technology in supply chains, creating new avenues for cyberattacks. And supply chain cybercriminals are constantly developing new techniques, making it challenging to stay ahead of the curve.

SolarWinds, a major US IT firm, fell victim to a supply chain cyberattack in the waning months of 2019 and still underscores how damaging these attacks can be. Hackers were able to access a system SolarWinds used to assemble updates on one of its flagship products. More than 18,000 organizations were affected, with some reports stating that the attack cost victims 11% of their revenue on average.

Far more recently, other supply chain attack victims have included the likes of Microsoft, antivirus purveyor Norton, European aerospace giant Airbus and, under investigation, semiconductor manufacturer Advance Micro Devices. As usual, big, technically sophisticated companies are not immune.

For now, at minimum, companies must regularly scan for early detection of low-level vulnerabilities and rely on penetration testing to help identify more advanced threats within the supply chain. If they haven’t already, they also must embrace advanced controls, such as digital signatures and multi-factor authentication. Also, a priority is leveraging tools to ensure reliable and secure data exchange among partners and implement a digital transformation.

Lastly, companies need to abandon traditional technologies such as fax, telephone and, email. Migrating to a modern environment allows companies to establish secure data transfers within their group and with businesses, suppliers and customers.

Be advised that one thing about securing the supply chain will not change: The process will never end.

Find article here.