On May 10, 2022, a former Coca-Cola chemist was sentenced to 14 years in prison for selling trade secrets to a Chinese government-backed corporation.1 This example demonstrates the way the supply chain increasingly presents multiple points of vulnerability, including ingress and egress lanes for insider threats to valuable intellectual property, data, and technology. As professional services are increasingly outsourced, insider threat compromises through the human element have become as prevalent as the much more heavily scrutinized cyber intrusion methodology.
The insider threat in this instance was originally a Coca-Cola employee who was able to access trade secrets that were held by a Coca-Cola contractor. The unlucky source of the sensitive data was Dow Chemical. The insider threat was particularly elusive because the individual had shifted employment from Coca-Cola to a Dow Chemical sub-contractor, maintaining access to sensitive information, but ostensibly remaining outside the direct purview of Coca-Cola's security and governance controls. Insider threats to the supply chain, especially those directed by malign external actors, have discovered that supplier and sub-contractor controls are typically less robust than those of the principal company, and have shifted their attacks accordingly.
In addition to this new attack vector, this insider incident also highlights the most essential, but most frequently neglected, element of the insider threat: the human element. Companies will spend millions on disparate security and technical solutions, without assessing and integrating their controls to adequately confront the point through which all attacks pass: the individual employee – be they direct or outsourced to the supply chain.
How to Counter the Evolving Threat: Integrating Controls to Account for the Risk
Many Chief Security Officers believe insider threats are covered by deploying cybersecurity, human resources, and physical security controls. However, if these controls are not assessed against the current threat environment, integrated based on the lens of insider threat, and then flowed down into the elements of the supply chain, substantial gaps may remain. A targeted assessment based on a company's crucial assets, as well as its supply chain operating environment, identifies these gaps and closes them to ensure insider threats both at the principal company and within the supply chain, are detected and mitigated.
Building a Risk Profile
In order to ensure controls are effective and properly resourced, the company must determine what constitutes critical data and critical services. Standard risk management models typically account for two factors: likelihood and significance. By assessing what elements of the business and supply chain are critical, a company is able to immediately identify the highest-impact insider threat events.
The second part of the risk assessment is identifying threats and vulnerabilities. When combined, the threats and vulnerabilities provide insight into the likelihood of an event in a specific area of the business or its products and services supply chain. As threats and vulnerabilities are identified, the company can reduce risk by eliminating high-risk suppliers, identifying additional sources of required materials and services, and closing security gaps around critical data and services.
The risk profile for third parties in the supply chain should include the following factors, all of which are also relevant to insider threat risk:
- Service type - Any type of service provided by a third-party could present a vulnerability, but understanding and prioritizing the risk by service type is a useful construct to focus resources. For instance, a software-as-a-service provider who may have access to company systems may pose a greater threat to critical data and services than a provider of raw material or hard goods.
- Corporate ownership - Understanding fully the ownership and control of the third party may indicate heightened risk, particularly for companies with national security red flags such as state ownership.
- Data and system access - Addressing the data to which the third party has access – as well as the systems in which it is housed – provides an understanding of both the likelihood of an event and the event's potential impact.
- Physical access - Physical access to a company, including proximity to employees and other third-party vendors, provides malign actors with opportunities to interact with, and co-opt, your personnel, as well as the chance to identify physical security gaps.
Outsourcing services affects many business models, but the threat to supply chains from insider threats is most acute in high-tech sectors, where dozens of suppliers, vendors, and service providers may be required to produce a single product. For instance, in April 2022, the National Counterintelligence and Security Center (NCSC) published an analysis of information and communications technology supply chains. The article noted, "...the design process for a single [computer] chip can involve contributions from hundreds of people, many of whom may be employed by third-party companies that simply provide functional blocks and who have little or no stake or interest in the success of the chip."2 The NCSC went on to describe requirements in many countries which allow intelligence services unfettered access to data held by private companies. This article only amplifies the risks created by overextended supply chains.
- Supply Chain Integrity Creates and Maintains a Business' Value
- Supply chain integrity means that a company's end-to-end operations are free from corruption, penetration, and criminal activity. The more complex the supply chain, the more points of vulnerability.
- Supply chain integrity secures the quality of products, the company's proprietary information, and ultimately its revenue.
- Malign Actors Increasingly Target Supply Chains
- Sophisticated malign actors will target vulnerabilities in the supply chain, rather than focusing on attacking the target company's cyber and physical security programs.
- Insider threats represent a unique means malign actors use to identify and exploit supply chain vulnerabilities.
- Staying Ahead of Evolving Risks
- Conducting a tailored assessment of a company's supply chain to identify critical assets, locate threat vectors and vulnerabilities, and integrate insider threat management with existing controls can prevent access to a company's most important data and technology.
How Ankura Can Help
Supply Chain Risk Management
Ankura assists companies in conducting supply chain compliance program mapping assessments as part of an overall SCRM program, identifying the various regulatory requirements applicable depending on the sector, service/product, and other relevant factors. Our National Security, Trade, and Technology (NSTT) practitioners can implement robust SCRM methodologies, while leveraging experience in the intelligence community and federal law enforcement to provide a unique perspective on SCRM and insider threats.
Diligence and Investigations
Our NSTT practitioners can help companies quickly conduct detailed investigations to support the identification of third-party risk, as well as conducting discrete internal inquiries related to insider risk. In the event of a non-compliance event, NSTT practitioners, experienced in conducting investigations, audits, and monitorships, can assist companies to quickly communicate to regulators the scope of any violation and to design and implement effective mitigation/remediation measures.
Steve Thomas is a Director in Ankura's National Security, Trade and Technology practice. He has over a decade of experience in the national security industry, including six years as an FBI Special Agent focused on global counter-intelligence matters, as well as service as a combat arms officer in the US Army and a management consultant to high-level Marine Corps organizations. Steve currently works with companies on the design, implementation, and operationalization of compliance programs to address foreign investment and trade controls risks.
2. "Information and Communications Technology and the Supply Chain Risk," National Counterintelligence and Security Center, https://www.dni.gov/files/NCSC/documents/supplychain/ict-supply-chain-risk-2022-5BE169B1-.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.