Global cybersecurity firm Kaspersky pushes for a more collaborative and inclusive response to strengthening the ICT (information and communications technology) supply chain to mitigate any forms of cyber attacks.

At the 4th Asia Pacific Online Policy Forum by Kaspersky, policyholders and Kaspersky executives underscored the need to keep security in sync with digitalization efforts as cybercriminals are quick to take advantage of any weaknesses of ICT vendors.

“In the last two years, there has been a new wave of attacks that exploited critical vulnerabilities in the ICT supply chain,” said Eugene Kaspersky, CEO, Kaspersky. “As threat actors evolve their techniques and tactics, we should expect supply chain attacks to be a growing trend in 2022 and beyond.”

Experts agree strengthening cybersecurity defenses means addressing skills gap
Kaspersky forum emphasizes need to invest in education to boost nations’ cybersecurity defense

The effects of the COVID-19 pandemic saw an unprecedented speed in digitalization efforts around the world for companies to ensure business and operational efficiency. Moving into the cloud posed vulnerabilities that could be easily exploited if companies’ security posture is either weak or nonexistent.

“The number of attacks on those working in the supply chain has increased, heavily targeted, more vulnerable and at-risk than ever before,” said Dato’ Ts. Dr. Haji Amirudin Abdul Wahab and CEO of CyberSecurity Malaysia. “Supply chain attack is difficult to handle due to their malware design which stays hidden among the infected system and user’s device. Especially in today’s environment, nations are slowly recovering from the pandemic and starting to move towards digital transformations.”

He emphasized the need to strengthen cybersecurity education and awareness across all sectors involved in the ICT supply chain. Particular mention is given to the small and medium enterprises (SMEs) which, more often than not, do not have the budget and assets to invest in improving their cybersecurity defenses.

“Resilience is all about resistance and recovery,” said Dr. Pratama Persadha, chair, Communication & Information System Security Research Center (CISSReC), Indonesia. “One way for both government and non-government stakeholders to minimize these risks is to improve cybersecurity capabilities, which will subsequently improve ICT supply chain resilience.

“However, this will be constrained if all relevant parties do not improve the cybersecurity of their systems. The main obstacle is the lack of understanding surrounding the importance of cybersecurity to increase ICT supply chain resilience. In the end, stakeholders must consider the significant investment to increase the overall standard of cybersecurity to improve the resilience of the ICT supply chain,” Dr. Persadha said.

Cross border collaboration

The recent arrest of the members of REvil saw the need for cross-border collaboration. It was reported that the Russian security agencies responded to the request of the United States government to arrest the ransomware group responsible for high-profile attacks last year that crippled some industries.

“The responsibility of securing the ICT supply chain and ensuring safe and trusted internet space is something that the Indian government accords high priority to. The core part of the strategy is a cross-border collaboration with all stakeholders to ensure protection and resilience of the tech space and ICT supply chain,” said Shri Rajeev Chandrasekhar.

Explaining possible solutions, Kaspersky says short-term and long-term strategies should be looked into by both government and private sectors.

The short-term solution includes improving procedures and regulations on ICT supply chain infrastructure. Kaspersky cited companies certifying supply chain partners to lessen attacks close to zero. The role of government regulations also plays a key role in this as in the case of critical infrastructure.

“The long-term solution is to make systems immune,” Kaspersky said. “This means the system being designed in such a way that even if an ICT supply chain component is vulnerable, it cannot affect the rest of the system. Even if there is a zero-day or any other vulnerability somewhere in the supply chain, it doesn’t carry over into other components in the chain.”