Validate supply chains or face hostile state attacks ex-MI6 boss warns industry
Businesses need to find methods of validating their supply chains or face the risk of a hostile state threat, according to former head of MI6 Sir Alex Younger.
Younger, who spent 30 years working for the British Secret Intelligence Service (commonly known as MI6) and six years at its helm – made his comments during a virtual DocuSign panel this week, which examined cyber security, trust, data protection and privacy.
Citing last year’s SolarWinds ransomware attack – which saw the US software company fall victim to a stealth-like ransomware attack that spread through the back door to many of its private enterprise and US Government agency clients – Younger urged companies to think hard about vulnerabilities in their supply chains.
“Supply chains, and validating supply chains as a vector for cyber weakness – particularly to hostile state threats – is something that we are not thinking about enough,” he warned.
Fellow panellist Spencer Mott – chief security officer at Booking.com – added that it was time businesses unpacked the complexity of their supply chains, with an emphasis on sustainability and social responsibility.
“Picking out who you have partnerships with rather than just supply dependencies is super important,” Mott said.
Head of industry solutions for The World Economic Forum Georges De Moura added that mitigating the risk that third parties posed to the ecosystem also involved embedding security and privacy into the procurement process.
According to Mott, the complex nature of global business meant that it was not uncommon for firms to deal with third, fourth and fifth parties – at which point he added security became “an unsolvable problem” because of the volume of data and partners.
Post SolarWinds, many of the companies affected are now assuming that there are already breaches, rather than merely reacting to attacks after they are found, and Younger encouraged firms to adopt this position as default.
“It’s getting to the point now where you have to assume some form of hostile intrusion at some stage” says Younger, who added that tech will play a key role in combatting these attacks.
“The future lies in AI and ML anomaly detection and the ability to identify threats in real time and to react to them. This will come down to our capacity to use modern analytical techniques but predominately intelligent ones to deal with them,” he said.
During the panel session, Younger said that the majority of these ransomware attacks came from Russia – as well as “other states that don’t share our values and are generally authoritarian in nature.”
He added: “If these attacks are not actively supported by the host security authorities they at least tend to turn a blind eye to them.
Even by allowing these attacks to passively continue Russia was “tweaking at the West” and ransomware attacks would only ease with the backing from hostile state governments, he added.
“Russia has formidable security capabilities – I know better than most – and they could crack down, but they don’t. They need to be incentivised to do so as President Biden has demonstrated in his talks with Putin,” he added.
Younger also believes that industry should be made aware of what he refers to as “the power play between China and the rest of the world”.
While in office the former spy was vocal in his concern about Huawei’s role in the UK’s 5G network.
“People in the commercial environment need to understand the big power competition that is going on in cyberspace that, at its most prosaic level, is going to force people to choose between a Chinese infrastructure and a rest-of-the world infrastructure,” he says.
“It is also the place where great power competitions are being conducted in cyberspace now, as we speak, below the threshold of war,” he warned.
Other threats on the horizon, according to Younger, are the ones we can’t yet fully comprehend. “Some tech trends are exacerbating this and quantum computing will be chief among them when it comes online,” he added.
The challenge for today’s intelligence officers operating in the field, according to the former spy, is being able to operate in both the physical and digital worlds.
“The lazy narrative was that our job was going to be replaced by data or AI or whatever it might be. But the reality is far more subtle and interesting – our lives are lived half in the physical and half in the virtual world,” he said.
“When you operate as an intelligence officer, you hide in plain sight, the challenge now is to learn how to do that in the digital world as we prosecute our mission to keep our citizens safe,” Younger added.
The long-serving former MI6 chief – who retired from the service last year – now advises leaders on matters of security and digital resilience.
When asked by the session’s chair, DocuSign’s head of security and trust Emily Heath, what kept Younger awake at night when he was running MI6 he replied that while terrorism and disinformation campaigns were a concern, as a leader his biggest worry was making sure the service remained successful in the digital age.
“It’s far more challenging to transform a successful organisation than an unsuccessful one.
“We are one of the best intelligent services in the world, but the reality is that the advent of digitisation and globalisation fundamentally changes the rules and you need to get the memo on that. And you need to get it before your opponents. That is a serious leadership challenge.”
Subscribe to our Editor's weekly newsletter