According to the European Union Agency for Cyber Security (ENISA): “In cybersecurity, the supply chain involves a wide range of resources (hardware and software), storage (cloud or local), distribution mechanisms (web applications, online stores), and management software. A supply chain attack is a combination of at least two attacks. The first attack is on a supplier that is then used to attack the target to gain access to its assets. The target can be the final customer or another supplier. Therefore, for an attack to be classified as a supply chain one, both the supplier and the customer have to be targets.”
The importance of supply chain security
In recent years, the world has seen an increased number of supply chain attacks on public and private structures in different countries. In some cases, attacks were perpetrated by state-backed APT groups, and these attacks had both regional and global implications.
An example of one of the most notorious supply chain attacks of all time is the SolarWinds Orion case. The attack was attributed to a group of APT 29 members of the Russian Foreign Intelligence Service (SVR).
Putting it in A Georgian Context
Around 20 percent of Georgia is occupied by Russia. Hence, cyber supply chain risks should be analyzed and managed in this context.
Russia has experience in attacking and compromising Georgian critical information infrastructure:
- 2008 – coordinated cyber-attacks accompanying the Russian military campaign in Georgia;
- 2011 – Georbot cyber espionage campaign against government entities;
- 2015 – campaign against Ministry of Internal Affairs of Georgia;
- 2019 – Defacement of Georgian websites and attack on TV channels.
The new National Cyber Security Strategy of Georgia for 2021-2024 addresses the following threats when assessing national threats: “Targeted attacks involving state actors, a critical information infrastructure has become a particularly important target, against which the source of threat is not only ‘external actors,’ but also relevant actors ‘inside the system’ (so-called) ‘Insider threat’). At the same time, a significant challenge is the vulnerability of the supply chain and the risks associated with relevant information technologies and systems, as well as other products and services.” At present, there is no regulation in Georgia that a) identifies the risks associated with the cybersecurity supply chain, and b) establishes controls to mitigate risks associated with the supply chain attacks.
Software Supply Chain
There are no legal restrictions related to the software supply chain for Georgia. The topic is complex and requires extensive resources to identify threats, provide evidence and respective actions. However, given the immaturity of the process in Georgia, one could discuss several perceived threat examples:
End-point security – Kaspersky solutions are widely used by the citizens, the private sector and sometimes by government entities as well. Kaspersky products are prohibited by the US (52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities). In March, 2022, US Federal Communications Commission also updated the list of prohibited equipment and services, which represent “unacceptable risk to the national security of the United States or the security and safety of United States persons” and Germany’s Federal Office for Information Security (BSI) warned to replace Kaspersky products.
Metering system for energy sector - Georgian State Electric System (GSE) is the only electricity transmission system operator. GSE uses the metering system of Russian origin, AlphaCenter. Additionally, almost all the energy companies use the same system, which allows them to exchange information easily. The software is not prohibited in US or EU countries. However, the whole energy sector of Georgia faces the same supply chain attack risk.
Enterprise resource planning (ERP) solution - 1C is a Russian company whose product 1C ERP is widely used in Georgia. Numerous examples of the use of 1C can be found in public entities.
The above examples are not exhaustive and do not describe the full list of threats.
Hardware Supply Chain
Hardware can also be used in supply chain attacks. For example, in the US, Chinese manufacturers Huawei, Dahua and Hikvision are prohibited from being used/purchased in government entities. However, those surveillance systems are widely used in public and private structures of Georgia due to their low cost and simplicity. The systems are used in critical information infrastructure, as well as by the national law enforcement agencies and emergency services, including major highway monitoring systems. Georgia has no effective controls or mechanisms to evaluate risks related to the above-mentioned suppliers and to implement related controls.
Service Supply Chain
Like software and hardware, it is important to manage the service supply chain threats. As of 2022, there are regulations for conducting information security compliance audits and penetration testing in critical information infrastructure. However, these regulations may not be sufficient to manage service supply chain risks. For example, the regulation is bypassed by the following services (non-exhaustive list):
- IT audit and IT assessment;
- Consultancy and implementation services;
- IT infrastructure projects.
In addition, risk cases related to local offices of international companies should also be considered. For example, over the years, three of the big four consulting firms belonged to the CIS region, and therefore the Moscow office was supervising the Tbilisi office:
In early March 2022, in addition to international sanctions against the Russian Federation, three representatives of the Big Four closed their offices in Russia (except EY, which will stay but will not serve government and sanctioned companies). The need also arose for Georgian offices to be relocated to another region.
Migration of IT workforce
Based on recent media reports, many Russian IT specialists are migrating to Georgia to avoid sanctions and continue their work on European and international projects. Georgia has quite good tax legislation to attract software developers and software development companies (income tax as low as 5 percent). Additionally, one can register a commercial company in a matter of a day due to simplified procedures. There is no official data to describe the exact number of newly created IT companies or staff migrated, but for a small market like Georgia, it may be significant.
One may estimate the potential outcome of the above-mentioned migration. On the one hand, it may boost digital transformation of the public and private companies, as Georgia has a severe shortage of qualified IT staff. The local companies, including national critical information infrastructure, may be tempted to fulfill their shortage with the available qualified migrants, while there are very few effective control mechanisms to compensate for the risks.
On the other hand, the price for the accelerated digital transformation may be compromised critical information infrastructure. Considering the context of regional relations with Russia, Georgia faces enhanced threats related to supply chain attacks and insider threats. By classical definition, the newly created companies do not fit in the definition of a supply chain attack, but Russian intelligence agencies tend to require direct or indirect access to customer data from the Russian companies, which creates both supply chain threats and insider threats. Additionally, the Georgian public sector will have little to no legal leverage to filter out locally registered IT companies from their tenders.
Risks dramatically on the rise
The number of supply chain cyberattacks is increasing every year, the methods of attack are changing and, as experience shows, often well-organized hacker groups (APTs) are backed by the state intelligence services. Consequently, the impact of supply chain attacks on the nation’s critical information infrastructure is increasing.
Given the national context in Georgia, the risks associated with the supply chain are dramatically increased. There are no effective controls at the state level that would reduce supply chain risks, and the awareness of government agencies, citizens, and small and medium-sized businesses about supply chain attacks is low. As a result, malicious products are actively used at the national level, and the country becomes significantly dependent on suppliers of these products. Given the extraordinary situation, the migration of qualified Russian IT staff to Georgia creates opportunity for accelerated digital transformation, while also potentially compromising national critical infrastructure in the long run.
In the short term, the most effective response to the above-mentioned challenges may come from the local professional community and from private sector itself through an effective awareness-raising campaign about supply chain risks and how a unified Georgian private IT sector can mitigate risks. More precisely, a memorandum of supply chain security can be signed by the IT companies, declaring to avoid:
- Import/distribution of banned software and hardware,
- Recruitment of migrated IT staff and
- Total isolation of all services from Russian companies.