Charting the Course Towards Trust and Transparency in the ICT Supply Chain

Attacks on the supply chains that provide Information and Communication Technologies (ICT) are increasing both in frequency and sophistication. This is concerning because security flaws can be introduced at any point in the process, from design to production, distribution, acquisition, deployment, and maintenance. Governments, businesses, and the general public may all be impacted. With a backdoor into a single system, hackers can infect thousands of machines simultaneously. The larger the attack surface, the greater the number of potential entrance locations. When one component fails, the failure of others quickly follows.

There have certainly been a number of high-profile supply chain ICT attacks in the last 12 months. Referring to one example where threat actors targeted an Asian government Certification Authority’s website, Head of Public Affairs and Government Relations for Asia Pacific & Middle East, Turkey, and Africa at Kaspersky, Genie Gan, said that the government itself was not the threat actor’s intended target. Since the Certification Authority is the weakest link in this supply chain, the bad guys chose to take advantage of the government’s faith in them.

“Supply chain attacks exploit trust relationships – be it a relationship between a reputable body and a government or between a small software supplier and an enterprise. Such attacks have major consequences for all affected parties, impacting the government, enterprises and very possibly individuals like you and me. To prevent this, the defenders need to operate on the basis that their system is compromised and look for signs of an attack rather than assume that they can be prevented using traditional products,” Gan explained.

Worrying Web Threat Numbers

In the first half of 2022, Kaspersky uncovered 20,948,843 unique web threats on the machines of Malaysian participants in the Kaspersky Security Network (KSN). The vast majority of harmful software is disseminated through browser-based attacks. Hackers typically gained access to systems by social engineering or by exploiting browser or plugin vulnerabilities.

During this time frame, Kaspersky prevented 3,285,350 brute force attacks against Remote Desktop Protocol (RDP) on Windows machines and identified 16,498 malicious installation packages on mobile devices. During the first half of the year, Kaspersky’s Anti-Phishing technologies prevented 1,791,751 phishing attempts in Malaysia.

Countries are taking measures in response to the threat of cyber attacks on the Information and Communication Technology (ICT) supply chain. Legal laws and regulatory frameworks on cybersecurity have been drawn out and are currently in effect. Nevertheless, Kaspersky executives recommend that each country works with its neighbours and private businesses to improve its cyber resilience.

Gan adds that while the cybersecurity landscape in Malaysia is distinct from the rest of SEA countries, it is still interconnected with its regional neighbours in so many ways. “This is why we encourage the government regulators to begin boosting its cyber capacity-building and cooperation efforts. These two are basically the building blocks of cybersecurity,” she said.

“Looking at Malaysia’s unique cybersecurity landscape and how it is dealing with cyber attacks, it appears that the country is now in the intermediate stage of cybersecurity readiness. Intermediate-level countries are those that have identified cyber attacks as areas they need to look into and have attempted to make some inroads. The goal is to have the country move to the Advanced stage where we hope to see it doing more in terms of development,” added Gan.

Gan was also joined by the Chief Executive of the National Cyber Security Agency, National Security Council of Malaysia (NACSA, NSC), Rahamzan Hashim, who in his opening remarks at the event, emphasised the importance of discussing trust and transparency in light of the pressing need to increase Malaysia’s cyber resilience.

“Cyber incidents are on the rise. There were 4,194 reported in 2020, 5,575 in 2021 and so far, 5,626 as of September this year. Mutual collaboration between public and private entities is key to strengthening our cybersecurity capabilities as a nation. We know this well, which is why our Malaysia Cyber Security Strategy 2020 – 2024 is founded on multi-stakeholders partnerships between the government and private sectors as well as industries here in Malaysia.” he added.

Genie Gan, Head of Public Affairs and Government Relations for APAC and META at Kaspersky (left) and Tuan Rahamzan Hashim, CEO of The National Cyber Security Agency (NACSA) Malaysia.

Strengthening the ICT Supply Chain

To improve Malaysia’s ICT supply chain, Gan suggested the following concrete measures:

1. Create guiding concepts and technical standards to guarantee a uniform degree of cybersecurity across all participating businesses.
2. Plans for national cybersecurity that can actually be implemented.
3. Streamline the rules and processes governing the ICT supply chain.
4. Increasing cyber defence capabilities through shared public-private efforts.

Kaspersky’s Transparency Centre

The Kaspersky Lab has shown that raising people’s knowledge of cybersecurity issues is an important part of any successful strategy. Kaspersky’s ground-breaking Global Transparency Initiative is built on the principle of involving the broader cybersecurity community and stakeholders, such as cybersecurity providers, in the process of validating and verifying the trustworthiness of their products, internal processes, and businesses (GTI).

Kaspersky has opened a Transparency Centre in Malaysia as part of the GTI’s Transparency Centre network, which is available to partners, stakeholders, and government regulators interested in examining Kaspersky’s cybersecurity operations.

Access to Malaysia’s Transparency Centre is now possible both in person and online. Zurich (Switzerland), Madrid (Spain), Kuala Lumpur (Malaysia), Sao Paulo (Brazil), Singapore, Tokyo (Japan), Woburn (USA), Rome (Italy), and Utrecht (The Netherlands) also have Transparency Centres. Trusted partners and government stakeholders with a stake in cybersecurity can use the Transparency Centres located in locations across the world to evaluate the company’s source code, software upgrades, and threat detection algorithms.

A key part of Kaspersky’s Global Transparency Initiative is the publication of Kaspersky Transparency reports, which detail the company’s interactions with governments, law enforcement agencies, and individual users who request access to their personal information. The most recent report incorporates data from January through June of 2022.

Cyber Threats and Digital Transformation Coexist

“Cyber threats are here to stay as it is parallel with the digitalisation drive in Malaysia. Malaysia Digital Economy Corporation (MDEC) reported that the digital economy is currently contributing 22.6% to the country’s gross domestic product (GDP), and the number is set to rise to 25.5% by 2025. A huge opportunity that will be realised best if digitalisation efforts are built upon trusted and transparent cybersecurity foundations,” said Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky.

“Organisations, industries, and governments will always be lucrative targets for cybercriminals but through collaborative multi-stakeholder efforts, we can explore strategies and expand our cybersecurity implementation as we enhance our confidence and trust in technology. When a country achieves cyber-resiliency, the digital future no longer becomes a scary unknown realm but a place with endless opportunities for growth,” he adds.