Bitsight, the global leader in cyber risk intelligence, has officially published the results from its Under the Surface: Uncovering Cyber Risk in the Global Supply Chain report, put-together by the company’s TRACE Security Research Team.
Going by the available details, this particular report would go on to document more than 500,000 organizations, 40,000 products, and 12,000 providers, mapping during the process well over 61 million digital supply chain relationships.
To understand the significance of such a development, we must take into account a fact that, even with all the national security concerns and government restrictions, Chinese military-linked companies remain deeply embedded in the U.S. digital supply chain fabric. You see, these organizations, many of which have been designated by the U.S. Department of Defense as “Chinese Military Companies,” continue to bear the response of providing essential digital infrastructure, thus exposing U.S. businesses and critical industries to potential cybersecurity threats.
Talk about the given report on a slightly deeper level, we begin from data which reveals that nearly one-third of U.S. supply chain rely on software or services from companies formally designated by the Department of Defense as “Chinese Military Companies.”
Next up, the report digs into how two-thirds of the U.S. supply chain is largely dependent on companies with at least expected ties to Chinese state-linked entities. This goes on to raise significant concerns regarding potential espionage, data security, and systemic risk.
In fact, while we are it, the report also mentions that ByteDance Group (TikTok’s parent company) alone is connected to 35.4% of the U.S. market, demonstrating how even high-profile companies facing potential bans remain widely in use.
Another detail worth a mention here is rooted in a finding that says providers are at much greater risk of cyber threats than consumers. This happens to be the case because providers use 2.5x more products and have 10x more internet-facing assets than consumers, causing their attack surface to be much larger.
The risk in question also stems from providers’ reality of complex supply chains, as they depend on multiple sub-providers, which increases their risk exposure and can make resolution more complicated.
Markedly enough, despite their track-record of besting consumers in four of six security standards like DMARC, SPF, DKIM, and DNSSEC, providers were also found to lag behind in areas such as patch management, open ports, insecure systems, and botnet infections.
Among other things, Bitsight’s report discovered that customer count doesn’t exactly translate to criticality, considering some niche providers serve only a handful of companies, but at the same time, support massive market share in industries like energy, finance, and logistics.
Almost like an extension of that, the report also found that smaller teams can actually have a big impact. To expand upon that, a good chunk of the most critical software and infrastructure providers were found to operate with fewer than 50 employees, and yet their technology is embedded in Fortune 500 companies and global enterprises.
Beyond that, the lowdown also uncovered industry concentration creating a single point of failure. In essence, Aerospace, utilities, and financial services bank heavily on just a few specialized providers. Hence, a security failure at one of these companies could trigger far-reaching effects within and across industries.
“Over the past year, we’ve seen several highly visible security incidents that highlight how incidents in the digital supply chain can have a massive ripple effect across the global economy,” said Ben Edwards, Principal Research Scientist at Bitsight. “Even the most security-conscious companies are vulnerable to weaknesses in their supply chain. Organizations must continuously evaluate their third-party vendors and suppliers and work proactively to close security gaps.”