Modern warfare isn’t just about tanks, soldiers, bombs and attack drones. It’s about identifying and exploiting your opponents’ weaknesses wherever you find them. In today’s digital era, the most cost-effective way to do this is through cyberwarfare. 

Rogue states, from Iran to North Korea, have been using cyber warfare to attack their enemies for decades. As Russia joins the list of international pariahs, the Kremlin is adopting their battle tactics too. This is a threat that Western individuals and businesses are simply not prepared to address. 

The new frontline is online, and most remain woefully exposed. Last year, cyber threats on global supply chains were highlighted following the unprecedented cyber-attacks on Colonial Pipeline, JBS, and SolarWinds, with far-reaching consequences for downstream businesses, customers, and individual consumers. The Colonial Pipe Line is the largest pipeline in the U.S., and the ransomware attack left hundreds of drivers stuck in queues for hours waiting for gas as all pipeline operations were stopped in a bid to contain the attack; in the end, the hackers were paid off to the tune of $4.4 million (75 bitcoin) to get the pipeline operational again. That’s why it’s time for a global industry supply chain security standard, like the SCS 9001, to be enshrined into law. 

SCS 9001 is more than just a standard, it is a complete supply chain security management system that verifies trusted ICT providers and suppliers for businesses, governments and consumers. Developed by the Telecommunications Industry Association, the standard provides guidance for key components of supply chain security.

We need tough laws like this because cyber-attacks can send dangerous reverberations into the real world. For example, Russia is alleged to have sent Ukrainian citizens a barrage of fake text messages informing them the entire ATM network was down to create a run on the bank and currency collapse, they also hacked 70 different government websites. Similar efforts by a gang of cybercriminals known as “Conti” have publicly supported Russia in cyber warfare. A recent report by the U.S. Department of Health & Human Services (HHS) noted that Conti has historically targeted U.S. health care organizations with ransomware attacks that both encrypt systems and steal information. On the other side of the conflict, Ukrainian officials are supporting the “IT Army of Ukraine” comprised of 400,000 volunteers that are targeting the Russian government. So far, they have taken down banking websites and military systems. They are also providing crucial military intelligence. This has been recognized as the first time in history that a government has publicly recognized and recruited a cyber-espionage “army” to assist its defensive military operations. 

Russia also wishes to disrupt the West as much as possible in retaliation for the economic sanctions they’ve imposed. Supply chain attacks represent a potent methodology for targeting. specific and vulnerable parts of a business. These attacks use malware in an attempt to disrupt the flow of physical and virtual goods further down the line. 

In 2018 hackers harvested payment details from the website payment section of British Airways. Log in, payment card, and travel booking details were all compromised and an investigation found this was because multi-factor authentication - when users must verify their identity through logging in on a second device - was not enabled. 

By attacking a key part of BA’s infrastructure the hackers stifled BA’s service since bookings could not take place whilst the payment section of the website was compromised. Basic rudimentary cybersecurity provisions could, and should, have prevented this from happening. 

Whilst BA was fined a record sum of £20m and they have updated their system, the incident showed how even in the pre-Ukraine War-era global multinationals were still woefully underprepared. 

These attacks reveal how vulnerable we are and the potential for real-world impact. One way to resolve this is by ensuring that the  SCS 9001 - is enshrined into law. 

Tools specifically designed to support SCS 9001 implementation efforts include the Universal Communications Identifier (UCID). This type of service can be used to provide confidence that a device supplier has examined their own hardware and software as well as those of their own suppliers to remediate software vulnerabilities. 

The SCS is not just a gold standard protocol, it’s also an accreditation process that oversees supply chain security certification providers to ensure all companies are meeting the required standard. It uses a benchmark scoring system so just by looking at one easy-to-understand score a user you could tell if that company was taking cybersecurity seriously enough. 

At the moment, SCS 9001 is not mandatory. Companies and individuals are simply not compelled to sign up to this security standard by law, and they should be. 

Most users do not know they’ve been hacked unless they are specifically vigilant for unusual behavior during their day-to-day online transactions or until a major breach makes headlines. In the frenzied media ecosystem surrounding first Covid and then Ukraine, such stories are easy to miss. 

Most ordinary people and businesses gravely underestimate the threat of cyberattackers. If it’s a choice between upgrading their laptop to make it more secure or purchasing better features, from more memory to a higher resolution graphics card, most people are always going for the features upgrade because it offers the most tangible value for money.  

GDPR  - General Data Protection Regulation -  in the E.U and the U.K was a monumental step forward in protecting our privacy. For the first time, it governed how our data is used online. Data must be used fairly, lawfully, and transparently and only for ‘specified, explicit purposes’ that are ‘adequate, relevant and limited to only what is necessary. 

Before the enforcement of this in 2018 companies were not in the business of informing users how their data was used and for what purpose. It wasn’t conceivable that they ever would have done this voluntarily; it’s a lot of work and most users were not interested. Yet behind the scenes data was being harvested and sold on an industrial scale. By making it mandatory, the onus was placed on the company to sort this out. 

We need to use this template to enshrine a global gold standard supply chain security protocol based on SCS 9001 in law. Only then can we start taking cybersecurity seriously, and therefore prevent ourselves from becoming collateral damage in the cyberwarfare age. 

About the author:

Kevin L Jackson is an author, cloud computing expert, and founder of GOVcloud, a cloud computing company.