Kaspersky hosts panel at RSAC 2021: lack of global response to value-chain risks represents ‘ticking cyber time bomb’

Supply chain attacks have proved to be very successful in recent years. Amid increased digitization, including government and public services, organizations are more vulnerable to these types of threats than ever before. However, a global policy response to fix value-chain risks is still missing allowing for hazardous cyber-vulnerability. To address this issue and find possible solutions, Kaspersky held a panel discussion at the RSA Conference 2021. 

The panel, titled: “The ticking ‘cyber-bomb’ and why there’s no global policy response to fix value-chain risks?” gathered the following experts:

• Craig Jones, Director of Cybercrime, INTERPOL
• Jon Fanzun, Special Envoy for Cyber Foreign and Security Policy at the Swiss Federal Department of Foreign Affairs (FDFA)
• Serge Droz, Chair of FIRST – the Forum for Incident Response and Security Teams (FIRST)

Digital transformations make every organization a software company as they rely on a multitude of external vendors, making difficult-to-manage third-party threats more complex. Their services contain codes that may have vulnerabilities, putting interconnected users such as industries, societies, and countries at risk. Nevertheless, due to various disagreements between states, the global community has not yet developed a global policy in response to value-chain risks.

Kaspersky researchers have been tracking several threat groups that focus on highly targeted supply-chain attacks. Their findings indicate that threat actors target and exploit vulnerabilities in updates and build systems for software so users who are asked to install patches might reveal backdoors into their IT systems. One recent high-profile example includes Sunburst, which was used to compromise numerous public and private organizations around the world.

At the panel discussion, participants highlighted that increasing information sharing and improving trust between actors is vital for building a constructive dialogue to create a global policy response to value-chain risks.

“When the attack happens, people don’t dial 911 or call the police, we’re normally a second or third call after their IT security, but we should be among the first to investigate it – together with CERTs, private partners and across borders,” said Craig Jones, Director of Cybercrime at INTERPOL. To reinforce the need for a clear, collaborative and effective response process, Director Jones continued, “it’s in everyone's interest to thoroughly investigate incidents, as well as get and share as much information as possible to ensure IT security of the critical infrastructure.”

“Cybercriminals love ‘divide and conquer’ – if we’re divided, criminals flourish. That’s why this is our biggest challenge – much bigger than a technical challenge is to decide on how we all work better together,” pointed Serge Droz, Chair of Forum for Incident Response and Security Teams (FIRST).

“First of all, as the global community we need consensus – on how exactly international law applies in cyberspace, how human rights should be protected online, how norms of responsible state behavior should be implemented and what the role of other stakeholders is. Second, we also need to implement what we agreed on and to hold those who violate agreements accountable for their actions,” noted Jon A. Fanzun, Special Envoy for Cyber Foreign and Security Policy, Swiss Federal Department of Foreign Affairs (FDFA).

In this regard, the Geneva Dialogue on Responsible Behavior in Cyberspace, led by the Swiss Federal Department of Foreign Affairs (FDFA) and implemented by DiploFoundation, is an example of building greater trust and a closer community within the industry to shape a joint vision regarding the digital security and global policy processes for a trusted, secure, and stable cyberspace.

Planning ahead

Kaspersky believes that a safer world can only be built on mutual trust and collaboration. The company sees a need for a global incident response mechanism to address large-scale and significant cyber-incidents affecting UN Member states and their critical infrastructure.

“This mechanism can be based on providing recommended technical and operational national points of contact in the event of an attack. These would serve as a ‘final station’ in reaching out to a national CERT, law enforcement agency or cybersecurity professionals, where needed, to exchange technical information. It is important that incident responders remain neutral. Such a mechanism would not only ensure the means for a timely and coordinated global response and incident mitigation but would also help to enhance technical and operational capacities of the global community, thus contributing to greater cyber-stability,” says Anastasiya Kazakova, Senior Public Affairs Manager at Kaspersky.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.