Digital supply chain challenge to cities and counties—another cyber minefield to navigate

As cities and counties have steadfastly turned to managed service providers for enhanced improvements and security for their networks, a new type of cyberthreat has emerged to greatly undermine trust. The irony here is that many turned to managed service providers who promised greater cyber security and hardened system protections. Perhaps managed services sounded too good to be completely true as cities and counties looked to their providers for more secure solutions in better managing and protecting their networks from cyber intrusions. A rash of incidents in mid-2021 helped to undercut all such blanket assurances and promises. Supply chain hacks are not new but like all cybercrime they have become more pernicious.

The Colonial Pipeline hack is a prime example of a “traditional” supply chain hack when a ransomware attack caused one of the largest oil supply pipelines to cease operation for less than a week leading to gas outages, shortages and higher prices. Most thought of supply chain issues as something completely focused on getting parts and materials to suppliers in the most expeditious manner possible. In addition, the pandemic highlighted supply chain issues regarding shortages in furniture availability due to shortage of lumber and foam. Cars, trucks, boats and even appliances had to cut their production lines due to shortages in essential computer chips.

Physical or traditional supply chain issues can certainly be disruptive—but so too can digital supply chain issues. As reported, what is now being referred to as digital supply chain attacks have proved to be particularly worrisome. When a cyber services company or managed service provider’s customer downloads an update, it was once rightful to assume the update had been fully vetted, etc.

Until recently, few saw how supply hacks could occur in the cybersecurity environment when the cyber threat landscape presented no less than three digital supply chain hacks. Threat actors had successfully compromised the technology supply chains and were able to obtain access into their target’s customer base, providing them unprecedented access to thousands of unsuspecting customers. This led to large-scale attacks on governments and enterprises, impacting small and large businesses, local governments and hospitals. The SolarWinds, CodeCov and Kaseya attacks are prime examples. Threat actors were able to gain entrance to these company’s ecosystems through unknown vulnerabilities and backdoor supplier support chains.

SolarWinds is a major cybersecurity company that provides system management tools for network and infrastructure monitoring offering technical services to hundreds of organizations around the world through their Orion software product. More than 30,000 public and private organizations—including local, state and federal agencies—use the Orion network management system to manage their IT resources. Threat actors were able to infiltrate at least nine U.S. agencies and about 100 companies, plus hundreds of electric utilities in North America. The hack compromised the data, networks and systems of thousands as SolarWinds inadvertently delivered malware as a “routine” update to the Orion software.

Codegov offers a software development tool hackers broke into that allowed threat actors to gain access to hundreds of networks belonging to the firm’s customers. Again, by gaining access to a company’s customer base that supplies digital products and services to its customers, cyber criminals were able to penetrate and find a plethora of opportunity for ransomware to unsuspecting customers.

Kaseya, another well-respected tech-management company found that as many as 1,500 customers from among the private and government sectors found their operations paralyzed by a ransomware attack into their system in which threat actors were able to carve a pathway to their entire customer base. At least three local governments were impacted.

Leonardtown, Md., was one of the first local governments to be hit with a ransomware attack as a result of the Kaseya hack. But thanks to the quick thinking of the town’s outsourced IT managed service provider, they were on it almost immediately. They were able to successfully mitigate the situation to the town and more than 100 other customers—almost at the same time.

These three instances provided an early warning of the dangers of digital supply chain hacks where cyber criminals were able to imbed themselves into a company’s customer base and thus hitchhike along with their malware—greatly multiplying the damage and threat. Of course, managed service providers at all levels of support are painfully aware and working on hardening their systems and seeking immediate remedies.

The lesson here is that we can never allow ourselves to be complacent as threat actors consider their work a rather profitable 24-hour profession—they are always seeking new weaknesses to exploit. For cities and counties, it is completely understandable for them to seek out managed service providers as they have struggled to maintain on-premises systems with the latest cyber defense systems let alone the challenges to attract and retain qualified cyber expertise. As convenient and even necessary as it was to place such trust in a managed service provider, it must be remembered that cyber responsibility can never be signed away by contract or be delegated in any form or fashion. Cities and counties are still viewed (legally and morally) as the rightful stewards of citizen records and information. As with any cyber security risk assessment, careful attention needs to focus on a managed service providers security protocols as well as restoration plans of records and systems in case of a cyber hack as if the governing policies were on premise.

Dr. Alan R. Shark is the executive director of the Public Technology Institute (PTI), now part of the Computing Technology Industry Association (CompTIA) in Washington, D.C., since 2004. He is a fellow of the National Academy for Public Administration and chair of the Standing Panel on Technology Leadership. Shark also is an associate professor for the Schar School of Policy and Government, George Mason University, and is course developer/instructor at Rutgers University Center for Government Services. His thought leadership activities include keynote speaking, blogging, conducts a bi-weekly podcast called “Sharkbytes,” and is the author or co-author of more than 12 books including the nationally recognized textbook, Technology and Public Management as well as CIO Leadership for Cities and Counties.