UK govt seeks advice on defending against supply-chain cyberattacks

Today, the UK government has announced a call for advice on defending against software supply-chain attacks and ways to strengthen IT Managed Service Providers (MSPs) across the country.

The move comes after last week when President Biden had issued an executive order to increase cybersecurity defenses across the U.S.

The government’s invitation to provide feedback that will be open for almost two months comes at a time of prominent cyberattacks such as, the Colonial Pipeline incident, the Codecov supply-chain attack, and ransomware attacks on mission-critical organizations [1, 2] that continue to grow.  

UK Government seeking views on cybersecurity

Starting today, the Department for Digital, Culture, Media, and Sport (DCMS) is seeking advice on measures to increase cybersecurity efforts across the UK from firms that both procure and provide digital services.

The initiative is a part of the nationwide “cyber resilience” efforts set forth by the UK’s National Cyber Security Strategy to safeguard businesses and organizations that increasingly rely on technology from cyber-attacks, and to strengthen digital supply-chain security.

To do so, the government has opened up a survey today, May 17th, that members of firms that either procure or provide IT services can respond to, until 23:59 on Sunday, July 11th:

In a press release, DCMS stated that only 12% of organizations reviewed cybersecurity risks posed to them from their immediate suppliers and that only 5% of the firms remediated vulnerabilities in the wider software supply-chain.

As more and more businesses are relying on technology or moving entirely online, securing digital supply-chains and services provided by the IT Managed Service Providers (MSPs) has become significantly more important to ensure business continuity and resilience, says DCMS.

“There is a long history of outsourcing of critical services. We have seen attacks such as ‘CloudHopper‘ where organisations were compromised through their managed service provider.”

“It’s essential that organisations take steps to secure their mission-critical supply chains – and remember they cannot outsource risk,” says Matt Warman, Minister (MP) of Digital Infrastructure.

“Firms should follow free government advice on offer. They must take steps to protect themselves against vulnerabilities and we need to ensure third-party kit and services are as secure as possible,” continued Mr. Warman.

Proposals could mean new rules for firms

Depending on the input collected from firms and industry experts, the UK government would then review whether the further strengthening of current cybersecurity policies is needed, and specifically what areas need to be improved on.

The proposals collected as a part of this two-month long survey could mean IT management firms (MSPs) will be required to follow updated new security standards.

A detailed policy paper expands on the two major tasks that the government wishes to accomplish through this initiative:

1. Evaluating supply-chain risk management, understanding the barriers to effective supplier cyber risk management, methods of improvement, the current risks, and the defenses.
2. Examining the critical role of MSPs in the UK’s supply chains across all sectors of the economy, including government and critical national infrastructure, and building a security framework for MSPs.

The need to focus on strengthening IT vendors is important as ransomware operators have recently targeted MSPs to mass-infect all of their clients in a single attack, as reported earlier by BleepingComputer.

Multiple MSPs have been reportedly hacked in the last few years, leading to hundreds, if not thousands, of clients being infected with the “GandCrab” Ransomware.

Last year’s SolarWinds supply-chain attack allowed threat actors to push a trojanized Orion update downstream to over 18,000 company customers, where they targeted high-value organizations for further attacks.

The government’s request for input comes at a time when, more recently, prominent cyber incidents like the Colonial Pipeline attack and the Codecov supply-chain incident are under the spotlight, and multi-million dollar ransomware attacks on mission-critical organizations like Ireland’s Health Services continue to grow.