Digital supply chain attacks Will Increasingly Push Government Agencies To Rigorously Evaluate Online Vendors

The recent SolarWinds supply chain attack that targeted several U.S. government agencies has shown that cybersecurity must extend beyond the borders of any organization. This trend of attacking government agencies and departments through their supply chains, however, has been a growing threat for years.

To improve operations and better serve constituents, government departments and agencies have increasingly turned to many third-party online solutions. These technologies, on closer inspection, represent thousands of points of vulnerability and provide hackers a larger attack surface to exploit. Some of the biggest threats exist beyond department and agency firewalls that can’t be detected with anti-virus software. Officials will need to do more to ensure their attack surface of connected partners and vendors are monitored and secured in 2021.

Here are my predictions about third-party risks for government bodies in 2021.

Security Attacks Stemming From External Attack Surfaces Vulnerabilities Will Accelerate

We will see more attacks on government departments and agencies through third-party vendors as external attack surfaces expand at an increased pace. These connected technologies will continue to be used as governments seek to accelerate their digital transformation. As a result, there will be more opportunities for hackers to increase their attacks targeting and leveraging online third-party connections.

Governments Will Recognize The Need To Look Deeper Into Their Third-Party Vendors

Traditional third-party scoring solutions often assess vendors who are directly connected to an organization, and often only look at the public-facing veneer of a vendor. This analysis misses a critical aspect of today’s IT infrastructures: vendors have typically built their IT on technologies and infrastructures of additional vendors. Analyzing the public marketing site of a vendor has little to do with the vendor’s true infrastructure that it relies on to deliver online products and services to its customers. Additionally, the type of connection an organization has to a vendor has a role in determining their true risk – but many “risk scoring” solutions do not differentiate at this level. Multiple organizations can be connected to the same vendor in different ways and it doesn’t affect the “risk score”, even if they use different services and solutions of the vendor. Moreover, as every vendor relies on additional vendors, the infrastructures to which the organization is connected might not be known to the government agency. Because these threats can exist anywhere in the chain of vendors, government organizations will need to look deeper into these connected attack surfaces and actively assess the full threat landscape to which they are exposed.

The dramatic SolarWinds headlines might have been the first time that government officials had heard about this type of attack. It likely won’t be the last as exploiting online government attack surface vulnerabilities will be one of the favored attack methods for hackers in 2021.