Kip Boyle: Hi. I'm excited to share that we have a new free bonus just for you.

Jake Bernstein: We've started publishing our very own quarterly Cyber Risk Management Journal. It's loaded with over 30 pages of useful content taken directly from our podcast. Here's how we make each new edition.

Kip Boyle: So we start by transcribing the four or five episodes that we've published in the previous three months.

Jake Bernstein: Next, we send our editor and designer the transcripts and our supporting materials for those episodes.

Kip Boyle: Then they revise all the text. They put clickable links in for all the resources and they create the best look and feel for each episode.

Jake Bernstein: And finally, we, Kip and I, make sure the finished PDF is ready for you.

Kip Boyle: So download the current edition now. All you have to do is go to b.link/crmj. That's the letter b.link/crmj.

Jake Bernstein: And if you like it, share it with your friends and encourage them to subscribe to the Cyber Risk Management Podcast. Now on with the show.

Speaker 3: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Hey Jake, welcome back from vacation. Today, we are going to talk about cyber exploitation through supply chains. And we're going to do that with the help of our guest, Steven Carnovale, who is the assistant professor of supply chain management at the Rochester Institute of Technology.

Jake Bernstein: Steven, welcome to the podcast.

Steven Carnovale: Hey guys. Thanks for having me.

Kip Boyle: We're glad you're here.

Jake Bernstein: Supply chain sounds like a lot of boxes in a dusty warehouse being moved around with a forklift, but I'm guessing that's not quite right, is it? Can you go ahead and tell us what it is?

Steven Carnovale: Yeah. Well, boxes and forklifts are definitely involved. But generally what we're talking about when we talk about supply chains and the management of supply chains is it's a couple of different things. So it's everything, all of the processes involved with sourcing, manufacturing, storing, distributing, and then when products come back, the returning of those products. So you can take any product you want, a cell phone, a cup of coffee, a notebook. It doesn't matter. And if we think about everything that goes into it, when you take a cell phone, for example, it's a really good one, these new cell phones right now, if you were to tear them apart, they've got 12 or 13 different sub-components on their bill of materials. You've got the screen and you've got the processor and the battery. Well, when you pull them apart, they come from... If there's 13, there's probably 11 different countries involved.

And the volume that they're producing them in, they're able to drive the cost down exceedingly low, working with multiple suppliers from all around the world, procuring the requisite amount of materials, shipping them to the place where they need to be assembled, storing them, packaging them, and then meeting the demand on the customer side of things so that you and I can walk into any store and get the product that we need. And cell phones, like I said, anything. So that's what we mean by supply chains. It's everything involved from A to B.

Kip Boyle: And supply chains aren't just physical goods, right? There's digital goods in the supply chain, too, right?

Steven Carnovale: Oh, absolutely. I mean, and it's relevant to the topic we're talking about today. But if you think about the cloud computing infrastructure, it's kind of like a gradient or a continuum. There's a certain degree of how much of something is a pure product and how much or something is a pure service. And so if you look at a service supply chain, there, what you're talking about are the pieces of infrastructure involved in supporting the delivery of whatever that service is. So if it's something like an amusement park, there's a whole ton of process involved with getting everything ready. And in the service side of things, really what we're focused on, managing capacity. So with cloud computing, the thing that we focus the most on there, bandwidth and storage and access and all these kinds of things. Well, there's a whole supply chain that goes into, of course, assembling the data centers and things like that. But there's also all of the processes involved and the coordination of everything so that ultimately that service can be delivered successfully.

Kip Boyle: Yeah. And that includes software as a service. So I'm reminded of the 2017 Notpetya cyber episode where it was really, it kind of came down to a tax software preparation program that had a supply chain of its own. I mean, you would buy this thing, install it, and then you would tell the publisher, "Hey, I'm a user of your service. Please send me updates." And so you get these monthly updates. It's kind of like in the United States, you might get TurboTax or something like that. And you get these updates and it just so happens that somebody compromised the updates and delivered a piece of malicious code.

And so I just wanted to broaden people's perspective on what a supply chain is just by having this preamble here. And a lot of bad things happen, whether you're talking about a physical good or digital good. There's a lot of risk in these supply chains. So now what we know based on that actual exploit plus many more is that supply chains are one of the primary paths through which cyber breaches occur. Even in physical goods, supply chains. But Steven, why are supply chains such a popular target?

Steven Carnovale: So in my estimation, it's the expansiveness of supply bases in general. So what I mean by that is I used the cell phone example before. Many of these original equipment manufacturers who produce cell phones, they work with so many different suppliers. It's not unprecedented to see 200, 300, 400, 500, 600 different suppliers. I think in fact, Apple, on their website, they say that 95% or 99% of all the products that they bring in to produce come from about 200 different suppliers. So imagine that for a minute, I'm coordinating a global organization responsible for products and services to be delivered globally. And I'm working with 200 different suppliers. Now I have to manage the relationships, the contracts and everything with those 200 different suppliers. And so that's a kind of a small number. I think car companies, General Motors, for example, probably has an excess of 2,500 suppliers with whom they work. So-

Kip Boyle: Or Aerospace, right? Airplane manufacturers.

Steven Carnovale: Oh my gosh. Yeah. Absolutely. So why are the supply chains the primary mechanism? Well, if I want to get a job, I post on LinkedIn, "Hey guys, looking for a job if anybody helps me." And I have a friend of a friend who knows somebody who could maybe hire me. So that person kind of brokers the relationship between me and whatever company. Well, the same is true I think for the more insidious nature of cyber crime. If I'm looking at a situation, a firm, that potentially lucrative opportunity if I'm a criminal, why not go in through the back door? And the example that comes to mind is Target. So back when Target had their cyber breach-

Kip Boyle: And I feel bad for their name by the way, in this case.

Steven Carnovale: Right. inaudible incorporated. No, but-

Kip Boyle: ACME, right?

Steven Carnovale: Yeah, exactly.

Kip Boyle: Sign on their back.

Steven Carnovale: With the road runner coming after him. No, but when Target had their cyber breach, it was an HVAC supplier in central Pennsylvania. And as I recall this story being told to me and having read it, the supplier didn't take the necessary precautions to buttress themselves against cyber crimes. And so what happened was this supplier worked with a local store in order to fix some of the duct work in the building. They, the company, the HVAC supplier got brought into Target's ERP system for payment. And when the cyber criminals, they literally went in through the back door, they got into this company and then they went into Target and then several hundred millions of dollars were taken.
And so that's one small example, but you can take a look at any of the breaches that you guys focus on. I mean Visa or any hotel chain. It's all through... If I'm going to be devious, I'm not going to be devious to your face very likely. I'm going to try to do it behind your back. And so that's the reason I think why supply chains are just, they're just ripe for the picking so to speak.

Kip Boyle: Yeah. And I think this is an industry-wide or it's a problem across all industries. I'm thinking right now, for example, of the cybersecurity maturity model certification, which is a new program in the American defense department. And the whole reason for them to spin up this new cybersecurity program is because the cyber defenses of the military networks and of the prime contractor networks are pretty good. And so the cyber attackers have been working their way down the supply chain, the logistics chain, and they found that it's much easier to gather sensitive but unclassified information from smaller contractors and subs to subs to subs. And once you aggregate enough of the sensitive unclassified data, you can start to put together a picture of highly sensitive to top secret and beyond activities. So just another example of how these cyber attackers are leveraging supply chain to get where they want to go even though we're hardening them and hardening them. Yeah. It's a never-ending process, right Jake?

Jake Bernstein: It is exactly. And speaking of hardening, external shocks such as COVID-19 have really exposed the degree to which the supply chains are so crucial to, as we've been saying, everything in the modern world. What can we learn from these types of kind of worldwide systemic shocks about how cyber criminals can exploit supply chain vulnerabilities?

Steven Carnovale: Yeah. So this is part of, in my estimation, a broader conversation about supply chain and risk management. And so generally, I think what we talk about in that realm, we talk about three very big things. We talk about detection, mitigation, and recovery. So pulling it back to cyber, the detection piece, what we saw with COVID-19, when it hits supply chains, everybody talks about this toilet paper shortage. But really it's like a smoke and mirrors kind of thing. It's if I'm distracted with putting out a fire here and a fire there and a fire there, well, this seems like the perfect time that a company wouldn't necessarily be working or be focusing on a phishing scam. Or they wouldn't be focusing on even a more direct brute force attack on getting access to confidential, proprietary data on a server. All of these other sort of things come up during these pandemics.

And so talking about a detection or even a mitigation kind of viewpoint, and I think, Kip, you talk a lot about this. How can we protect ourselves with liability insurance? How can we do the right thing ahead of time so that when it does happen, because it's not an if, it's more of a when. How can we protect ourselves? And so where do they exploit these vulnerabilities? They wait until everyone's distracted. They go into, like we talked about, this broad supply base and basically their job is to find and exploit these opportunities. So that's what they're doing every single day. So if we're focused on other things and we're not paying attention to the best practices to ensure that these things don't happen, I think any shock to the supply chain, or even forget the supply chains for a minute, generalize it. Any external shock that would distract our attention away from things that aren't right in front of our face present an opportunity for these folks to come in and unfortunately do what they do best.

Kip Boyle: Yeah. And I think you're also putting your finger on something that is important in general, which is logistics. Which is the discipline around supply chains have done amazing things for the world that we live in. I mean, just in time delivery of parts and products and that sort of thing have created all these economies, all these savings. But when the supply chains aren't working for whatever reason, then that's when you start seeing shortages. So I just thought it was interesting to see what kinds of shortages of products were being created during the pandemic and the quarantines. And I was kind of surprised at some things and not surprised at other things. For example, webcams, just go try to buy a decent webcam. And it's really hard because of what happened.

And I remember discussing with a couple of my customers about what they should expect and when it looked like the quarantine was happening, we started brainstorming. And we came up with laptops, smartphones, everything that was going to go into high demand because of a sudden need to work from home. And the supply chains weren't ready for that. I mean, because they have such long lead times. I mean, you're 6, 12, 18 months of pre-planning in order to make those things flow well. So they're susceptible to unforeseen major changes like COVID-19, or like a cyber attack.

Steven Carnovale: Absolutely. So you touched on something, two things that are interesting that I want to bring up. The first is there is a very predictable sequence of things being in high demand. So at the beginning of the pandemic, what ended up happening, aside from the toilet paper, which was just really nonsensical, what ended up happening was rice, canned goods, peanut butter, things like that. People were preparing their pantries for potential shocks to the food system. And then after about a month of the shutdown and quarantine, the Walmart CEO I think described it as the clipper and dye phase because people were getting shaggy and they needed to trim their hair. Yeah. And so-

Kip Boyle: And darken their hair.

Steven Carnovale: Yeah, exactly. I'm just losing mine. So darkening isn't really an issue at this point.

Kip Boyle: Oh, I mowed mine under years ago.

Steven Carnovale: So then what's next? Then you see jigsaw puzzles were another thing that spiked in demand because people are just losing their minds and they're really bored and then home improvement stores. And then and then and then. So part of this has to do with human behavior. The reason why these shocks end up hitting supply chains and why we as consumers end up feeling them is that this is a system which is very precisely calibrated and it does allow for a buffer. But the buffer that we're seeing with the COVID, it's a black swan and it's this unforeseen crazy unlikely event that happened that has rippling and cascading effects. So that's the first thing.

The second thing that's really interesting, and you talked about supply chains and the improvements that they make to people's lives, this also presents kind of an interesting and really insidious cyber threat opportunity. So the internet of things, IoT, being deployed into supply chains is really crazy. And it's awesome on the one sense, because I can-

Kip Boyle: It's unlocking a lot of value.

Steven Carnovale: Oh, tremendous value. If I'm shipping fresh produce from California to New York, and I put a tracker inside, an internet connected tracker, inside my freight, and it can sense the temperature or the amount of the gas that the fruit kicks off. And it can send a signal to the cab that says, "Hey guys, we need to pull over or vent it or do something or I need to make a correction because the produce is going to go bad." And then you think about all of the other IoT stuff that's being deployed throughout the supply chain. Well, what if I'm a competitor and I have no scruples and I inaudible someone to hack into those sensors and say, "Nah, everything's fine. Don't worry about it." And then you arrive in New York and you have a whole rotted truck of produce.

Kip Boyle: Well, that's the Stuxnet of the vegetable supply chain, right?

Steven Carnovale: And then, so you take that and then you combine it with the impact that COVID had shutting down plants because workers were getting infected. And it's this confluence of events. So to kind of recap on the original question, the vulnerabilities are everywhere, but I think the best practices are still pretty clear. It's just a matter of having finite resources being able to deal with those things which are important.

Kip Boyle: Another thing that cyber criminals are going after with respect to supply chains is payments. I mean, business email compromise is a perfect example of how somebody is looking at a supply chain and saying, "Okay, this company delivered services to that company. So A did something for B. Now B has to pay A." So it's like, cool. Now I can jump in and impersonate A or impersonate B, or just get in the middle somehow and redirect the payments. And so it's interesting how so much of the cyber crime that we're seeing can be tied back to supply chain.

Steven Carnovale: Oh yeah. And the thing of it too, and what I think you echoed previously, and actually a colleague of mine has an article about this. It's in Harvard Business Review. If any of your listeners are interested, I can provide them the details. But what firms should do when they're dealing with these big supply bases, this opportunity for theft. I mean, things like putting cyber security explicitly into the contract while you're doing the procurement or requiring or mitigating, or at least governing the access that these suppliers have to your IT systems. I mean, there's some relatively straightforward stuff.

Kip Boyle: And Jake's all over this. Jake is all over this. I mean, Jake has a whole approach. Why don't you share a thumbnail sketch of your approach for this, Jake?

Jake Bernstein: So what I do is I like to have different tiers of master service agreements, depending upon the level of access that a vendor has to the client's information systems. And basically the idea is I kind of borrow the confidential, secret, top secret nomenclature from the government. And then I go backwards and basically define if this vendor were to be hacked or to release data, what is the level of harm that could result from that? And that's actually how the government defines confidential, secret and top secret. And so in a very short nutshell, that's the approach I take. And what we do is we deploy a tier three master services agreement for anyone who has certainly the keys to the kingdom, or has constant access to customer client files and systems.

And that would be your cloud service providers, your IT contractors, anyone who I would say is just business critical on the infrastructure side. And then your tier one on the opposite end would be the water company that comes and delivers the bottles of water. They don't probably have any-

Kip Boyle: Or changes the floor mats.

Jake Bernstein: Or changes the floor mats. They don't need to have any kind of real strict cybersecurity provisions in their contracts. So it's a lot of companies try to make do with one size fits all contracts. And honestly, I think you actually save time and money if you don't attempt to make one size fit all. And that's the approach I take in a nutshell.

Steven Carnovale: So do you, as part of that... So that's kind of a governance mechanism from the firm to their suppliers. Are there teeth on the back end of that, for example, where let's say the person who was responsible for coordinating that contract and the pricing and everything, if something got by that person, are they held accountable? Because that's another thing that I think is probably important too, right? It's a two-sided thing.

Jake Bernstein: It is. I mean, that's a really interesting question. And I think currently most of the accountability is going to be on the vendor side because my clients are usually not coming to me for internal management issues. These are usually external facing contracts, which is what that is. But I do think that is a really important component of a vendor risk management or a third-party supply chain risk management program, which is internal accountability. So I think that's-

Kip Boyle: That's really my territory. As a chief information security officer, I'm looking internally and I'm asking myself, does everybody understand their role? Cybersecurity is a team sport. So does everybody know their position? Does everybody know what they need to do? Sports analogies are wonderful because the team can't win if the kicker can't get the ball through the uprights. I mean, it's like everybody's got to do their part. And so if you've got somebody who's miscategorizing vendors and giving them tier one contracts with very few requirements and consequences, but they're actually performing like a tier three vendor, then I've got an errors and training problem and that can undo the best systems is internal people not doing the right things.

Jake Bernstein: Yeah, absolutely. That's a good way to just kind of show that it's such a interconnected, much like the supply chain itself, even managing your supply chain is a very interconnected process and concept that has to really be done carefully.

Kip Boyle: Yeah, yeah, absolutely. Especially in this world that we live in. I mean, 10 years ago, 20 years ago, you might've gotten away with having one MSA. And that was perfectly fine. Senior decision makers right now were kind of brought up in that world and they may not realize that the world's changed and they have to evolve their approach. They have to become more sophisticated. We actually see that a lot in a lot of different areas. But I don't want to stray too far from supply chain, Steven, because you're a guest.

Steven Carnovale: Hey, I'm just along for the ride. This is cool just to listen, that's all.

Kip Boyle: So okay. But this is such an important topic, and I think we've kind of made that case. I hope we have. And if anybody doesn't feel like we have in the audience, send us a message and tell us what we missed. But Steven, you're writing a book and it's called Cybersecurity and Supply Chain Management: Risks, Challenges, and Solutions. Why did you want to write that book?

Steven Carnovale: Well, I think Jake alluded to it where he noted how interdisciplinary and how interconnected everything that we've been discussing is. So you talk about cybersecurity and several camps could come and say, "No, we own that. We own cybersecurity." But as you said, it's a team sport. So I wanted to kind of, myself and my co-editor of the book, we kind of wanted to advocate a couple of different things. First, what on earth is the connection between the two? Because on the face of it, it does require a little thought to say, is this really a supply chain thing? And then once you start talking about it, you at least come to the conclusion that it has supply chain implications and vulnerabilities. So we wanted to communicate the fact that supply chains need to think about this, particularly because they're the ones responsible for procurement, for purchasing, be it products, be it services, whatever the case is. So we wanted to do that.

And we also kind of wanted to advocate a little bit about grounding the idea of what it is. And the book itself, which is coming out soon, the book kind of weaves together academic information, and then a little bit more formal exposition of what the topic is, why it's important, how to think about it. And then weaves in a more practical standpoint of, so what? It's great that I can sit here and pontificate, I do it for a living. But what are we going to do about it? And so the book has a lot of different things. It has some unique perspectives about cyber in manufacturing, using different QR codes for hedging risk.

It has some things about human beings, people operating within the supply chain being kind of like the first line of defense. It has some case studies about issues that have gone wrong. And for people reading it saying, gee, how can I think about buttressing my own defenses? So it's shaping up to be a pretty great book. And the net of it is I wanted to craft a contribution and kind of put my flag in the sand that says, let's start thinking about this. It's an important topic. And as you said, Kip, it's a team sport and the supply chain is a big part of that team.

Kip Boyle: Yeah. So your book could be one of the playbooks that our senior decision makers could be using in order to know what positions people should be playing and how they should be contributing. But who's the target audience? I mean, senior decision makers, practitioners? What would you say? Other people?

Steven Carnovale: I would say we kind of straddle the unique line in between having it be academically rigorous, but practically relevant. And so I think and I hope senior decision makers could certainly take this and glance at the chapters that would be relevant to them, perhaps the case studies and kind of the more executive perspectives on it. And then I think probably academics working in this area doing research to kind of ground it more theoretically, they could look at it and hopefully get ideas for work that could end up ultimately helping those senior decision-makers and future books. So I think it's definitely not going to be a page turner like a spy thriller. But it ought to be helpful for many different people operating in this area. And ultimately, really what I hope is that it kind of just makes the connection and grounds formally the connection between the supply chain and cybersecurity.

Kip Boyle: I like it.

Steven Carnovale: Thank you.

Jake Bernstein: Yeah, me too. Very, very interesting.

Kip Boyle: So actually, I kind of liked Steven's idea so much that I guess he must've sensed that because he actually asked me to write a chapter of his book. So I did that and it's turned in.

Jake Bernstein: And what was it about?

Kip Boyle: Well, so Steven invited me to write about the executive perspective on supply chain management, which was easy for me because I talk about the senior decision maker's role in cybersecurity all the time. So for me, it was just a matter of reigning myself in and confining my comments to the supply chain. But it actually wasn't that tough because, as I think we've heard in the episode today, supply chain is just, it's pervasive. And so it's really not hard to connect just about anything, cyber risk related to it. But yeah. Anyway, so that just about wraps up our episode today. Jake, did you have any final thoughts or comments or questions for Steven?

Jake Bernstein: I think you're absolutely correct, Steven, that this is a critical component. It probably isn't studied enough. So I'm really glad to hear that you're working on this and getting the information out there.

Steven Carnovale: Yeah. No, thank you. And thanks for letting me chat about it for a little bit. All the contributions are great and Kip's chapter was a very well received. And I think in particular for those senior decision makers looking to make the connection, Kip's chapter is going to be quite a good one.

Kip Boyle: Well Steven, we're really glad you were our guest today. Where can people learn more about you and your work? Do you have a website, an email address, or would you rather remain difficult to find?

Steven Carnovale: No, I don't think I'm too difficult to find. No, for an email address, if you want to contact me, it's scarnovale, that's C-A-R, N as in Nancy, O, V as in Victor, A-L-E @saunders.rit.edu. And if you Google my name, Steven Carnovale, Rochester Institute of Technology, my faculty page will pop up and things like that. So and I can provide you with all that info. So feel free to reach out and we can chat about this or anything else you deem quasi-relevant.

Jake Bernstein: Excellent. Thank you very much for joining us today, Steven.

Steven Carnovale: Great. Thank you guys for having me.

Kip Boyle: Okay. That wraps up this episode of the Cyber Risk Management Podcast. And today we discussed cyber exploitation through supply chains. And we did that with the help of our guest, Steven Carnovale. And we'll see you next time.

Jake Bernstein: See you next time.

Speaker 3: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.