MOD Data Breach Shows Supply Chain Security Continues To Be A Top Priority

Uploaded on 2024-05-21 in NEWS-Cybersecurity News, GOVERNMENT-Defence, FREE TO VIEW, TECHNOLOGY--Hackers, TECHNOLOGY--Resilience

By Joyce Hakmeh

Not for the first time, a Western government agency suffered a major data breach where third-party contractors were exploited as a likely weak link.

On 6 May, news broke that the details of 270,000 service personnel working for the UK Ministry of Defence (MOD) had been accessed. It was part of a cyber-espionage operation targeting a contractor responsible for managing the MOD’s payroll system.

In a statement to parliament, the UK’s defence secretary Grant Shapps said that the data breach was suspected to be the work of a malign actor and state involvement could not be ruled out. Although the government did not officially attribute this data breach, many MPs pointed fingers at China, recalling its track record in cyber espionage - a significant and long-standing issue for many Western countries.

A similar data breach occurred in 2014 at the US Office of Personnel Management (OPM), a government agency overseeing the federal workforce, but on a significantly larger scale. The breach was detected in 2015 and the perpetrators used a third-party contractor as the initial point of entry into OPM’s network. 

It was one of the largest breaches of government data in US history, affecting 22.1 million individuals. China was identified as the perpetrator. Shortly after, during a state visit hosted by President Barack Obama for President Xi Jinping, both leaders agreed that ‘neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information’. However, this agreement mainly related to espionage aimed at giving competitive advantages to companies or commercial sectors. 

Understandably, the UK government would be careful this early in the investigation about attributing the attack to China or any other state – or indeed to a non-state actor, like a criminal group. The government needs to gather substantial evidence and reach a high level of certainty before making any definitive statements. 

Earlier this year, the UK accused China of conducting a global campaign of malicious cyberattacks and issued sanctions against Chinese companies and individuals. Among the targets between late 2021 and October 2022 was the UK electoral commission. Attribution of that attack was officially made in March 2024, more than two years after it occurred. This underscores the often lengthy process involved in making such attributions and agreeing on appropriate punitive actions.

Questions Over MOD’s Contracting Processes

Both the MOD data breach and the OPM incident involved a malicious actor gaining access to sensitive information through a third-party contractor. However, unlike the OPM breach, the contractor’s system was not linked to the MOD’s central network. Additionally, the MOD breach was notably smaller in scale. 

The MOD cyberattack prompts questions about the processes within the ministry for governing external contractor provision and ensuring compliance with security requirements.

Nonetheless, both incidents highlight the critical issue of supply chain security. Shortly after the MOD breach, a multi-step plan was enacted, detailed by the defence secretary to parliament. This plan included taking the compromised system offline, launching an investigation, notifying affected personnel, providing support to potentially impacted individuals, and suspending payment processing.

In his speech, the defence secretary highlighted that ‘potential failings’ by contractors operating the payroll system may have facilitated access for the malicious actor. Yet the MOD cyberattack prompts questions about the processes within the ministry for governing external contractor provision and ensuring compliance with security requirements.

Supply chain security, especially for sensitive institutions like the MOD, has been a concern for several years, driven by high-profile incidents like the SolarWinds hack. This attack, which occurred in 2020 and was later attributed to Russia’s Foreign Intelligence Service, was considered one of the largest and most sophisticated hacks. It affected numerous organizations worldwide, including many US and UK government agencies, NATO and the European Parliament. 

The attack was a supply chain attack where hackers exploited vulnerabilities from at least three US firms - Microsoft, SolarWinds and VMware - allowing them access to sensitive data in organizations using these softwares. Many lessons were learned, leading to a heightened focus on supply chain security, especially within government agencies.

The presence of third-party contractors and vendors in the supply chain of large and complex organizations like the MOD is almost inevitable. The complexity creates interdependencies, making it challenging to ensure security at all times. Having multiple parties in the supply chain increases the potential points of vulnerability, requiring comprehensive security measures and practices to mitigate risks effectively.

Protect Data ‘Crown Jewels’ Against Cyberthreats

When it comes to data protection, any organization should identify its ‘crown jewels’ - namely, the most critical and sensitive data assets that require the highest level of protection. This involves categorizing data based on its importance and the potential impact if compromised. 

By prioritizing the protection of these ‘crown jewels’, organizations can allocate resources and implement appropriate security measures to safeguard their most valuable assets effectively. 

The MOD data accessed through the breach while important is not the most sensitive. However, accessing this information in the first place undermines confidence in the ability of MOD to protect its information and indeed its personnel to the level that it is expected to. It also raises questions, as some MPs have suggested, regarding the security of the targeted personnel against threats such as blackmail and extortion.

Several initiatives have aimed to secure supply chains, including one from the MOD itself known as the Defence Cyber Protection Partnership (DCPP), a joint MOD and industry initiative aimed at improving the protection of the defence supply chain from cyberthreats. 

The actions taken by the MOD after the breach are in line with good practice. Regardless, the breach raises serious questions around the existing provision processes within the MOD regarding its vendors and contractors, and the measures it is taking to ensure compliance with established security requirements and to avoid failings such as those alluded to by the defence secretary. 

Not addressing these questions risks making this cyberattack one of many which might have much more dire consequences. 

Joyce Hakmeh is Deputy Director, International Security Programm at Chatham House and  Co-Editor of the Journal of Cyber Policy.

Image: Ideogram

You Might Also Read: 

The UK Nuclear Industry Needs To Take Cybersecurity More Seriously:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Cloud Threats Require New Advanced Defenses
Chatham House Cyber Conference »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IONU Security

IONU Security

IONU offer a security platform focused specifically on providing Data-centric Security.

Bishop Fox

Bishop Fox

Bishop Fox is a leading authority in offensive security, providing solutions ranging from continuous penetration testing and attack surface management to product and application security assessments.

CrowdStrike

CrowdStrike

CrowdStrike is a global provider of security technology and services focused on identifying advanced threats and targeted attacks.

Charlton Networks

Charlton Networks

Charlton Networks provide a complete range of IT infrastructure, network and security solutions aimed at SME companies.

Research Institute in Trustworthy Industrial Control Systems (RITICS)

Research Institute in Trustworthy Industrial Control Systems (RITICS)

RITICS is one of three Research Institutes formed as part of the UK National Cyber Security Strategy.

Radiflow

Radiflow

Radiflow is a leading provider of cyber security solutions for critical infrastructure networks (i.e. SCADA), such as power utilities, oil & gas, water and others.

Communications Authority of Kenya

Communications Authority of Kenya

The Authority is responsible for facilitating the development of the information and communications sectors including; broadcasting, telecommunications, electronic commerce and cybersecurity.

KOVRR

KOVRR

Kovrr financially quantifies cyber risk on demand. Our technology enables decision makers to seamlessly drive actionable cyber risk management decisions.

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) undertakes cyber security research and plays a leading role in securing Pakistan’s Cyberspace.

National Cybersecurity Preparedness Consortium (NCPC) - USA

National Cybersecurity Preparedness Consortium (NCPC) - USA

The mission of the NCPC is to provide research-based, cybersecurity-related training, exercises and technical assistance to local jurisdictions, counties, states and the private sector.

Neovera

Neovera

Neovera is a trusted provider of managed services including cyber security and enterprise cloud solutions, committed to delivering results through the innovative use of scalable enterprise-grade tech.

ClubCISO

ClubCISO

ClubCISO is a community of peers, working together to help shape the future of the information security profession by facilitating independent discussion on data security and cyber resilience.

Hub71

Hub71

Hub71 is a world-class tech ecosystem opening doors to global opportunities from an optimal business environment for entrepreneurial-minded innovators.

Artifice Security

Artifice Security

Artifice Security will demonstrate real-world attacks on your network, web applications, infrastructure, and personnel to expose your hidden security risks.

PatchAdvisor

PatchAdvisor

PatchAdvisor core services include Vulnerability Assessments/Penetration Testing, Application Vulnerability Assessments, and Incident Response.

Archer Technologies

Archer Technologies

Archer helps organizations manage risk in the digital era—uniting stakeholders, integrating technologies and transforming risk into reward.