Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.
On May 10, 2022, a former Coca-Cola chemist was sentenced to 14 years in prison for selling trade secrets to a Chinese government-backed corporation.1 This example demonstrates the way the supply chain increasingly presents multiple points of vulnerability, including ingress and egress lanes for insider threats to valuable intellectual property, data, and technology. As professional services are increasingly outsourced, insider threat compromises through the human element have become as prevalent as the much more heavily scrutinized cyber intrusion methodology.
The insider threat in this instance was originally a Coca-Cola employee who was able to access trade secrets that were held by a Coca-Cola contractor. The unlucky source of the sensitive data was Dow Chemical. The insider threat was particularly elusive because the individual had shifted employment from Coca-Cola to a Dow Chemical sub-contractor, maintaining access to sensitive information, but ostensibly remaining outside the direct purview of Coca-Cola's security and governance controls. Insider threats to the supply chain, especially those directed by malign external actors, have discovered that supplier and sub-contractor controls are typically less robust than those of the principal company, and have shifted their attacks accordingly.
In addition to this new attack vector, this insider incident also highlights the most essential, but most frequently neglected, element of the insider threat: the human element. Companies will spend millions on disparate security and technical solutions, without assessing and integrating their controls to adequately confront the point through which all attacks pass: the individual employee – be they direct or outsourced to the supply chain.
Many Chief Security Officers believe insider threats are covered by deploying cybersecurity, human resources, and physical security controls. However, if these controls are not assessed against the current threat environment, integrated based on the lens of insider threat, and then flowed down into the elements of the supply chain, substantial gaps may remain. A targeted assessment based on a company's crucial assets, as well as its supply chain operating environment, identifies these gaps and closes them to ensure insider threats both at the principal company and within the supply chain, are detected and mitigated.
In order to ensure controls are effective and properly resourced, the company must determine what constitutes critical data and critical services. Standard risk management models typically account for two factors: likelihood and significance. By assessing what elements of the business and supply chain are critical, a company is able to immediately identify the highest-impact insider threat events.
The second part of the risk assessment is identifying threats and vulnerabilities. When combined, the threats and vulnerabilities provide insight into the likelihood of an event in a specific area of the business or its products and services supply chain. As threats and vulnerabilities are identified, the company can reduce risk by eliminating high-risk suppliers, identifying additional sources of required materials and services, and closing security gaps around critical data and services.
The risk profile for third parties in the supply chain should include the following factors, all of which are also relevant to insider threat risk:
Outsourcing services affects many business models, but the threat to supply chains from insider threats is most acute in high-tech sectors, where dozens of suppliers, vendors, and service providers may be required to produce a single product. For instance, in April 2022, the National Counterintelligence and Security Center (NCSC) published an analysis of information and communications technology supply chains. The article noted, “…the design process for a single [computer] chip can involve contributions from hundreds of people, many of whom may be employed by third-party companies that simply provide functional blocks and who have little or no stake or interest in the success of the chip.”2 The NCSC went on to describe requirements in many countries which allow intelligence services unfettered access to data held by private companies. This article only amplifies the risks created by overextended supply chains.
Ankura assists companies in conducting supply chain compliance program mapping assessments as part of an overall SCRM program, identifying the various regulatory requirements applicable depending on the sector, service/product, and other relevant factors. Our National Security, Trade, and Technology (NSTT) practitioners can implement robust SCRM methodologies, while leveraging experience in the intelligence community and federal law enforcement to provide a unique perspective on SCRM and insider threats.
Our NSTT practitioners can help companies quickly conduct detailed investigations to support the identification of third-party risk, as well as conducting discrete internal inquiries related to insider risk. In the event of a non-compliance event, NSTT practitioners, experienced in conducting investigations, audits, and monitorships, can assist companies to quickly communicate to regulators the scope of any violation and to design and implement effective mitigation/remediation measures.
Steve Thomas is a Director in Ankura's National Security, Trade and Technology practice. He has over a decade of experience in the national security industry, including six years as an FBI Special Agent focused on global counter-intelligence matters, as well as service as a combat arms officer in the US Army and a management consultant to high-level Marine Corps organizations. Steve currently works with companies on the design, implementation, and operationalization of compliance programs to address foreign investment and trade controls risks.
Footnotes
1. https://www.upi.com/Top_News/US/2022/05/10/chemical-engineer-sentenced-China-trade-secrets/8261652158133/
2. “Information and Communications Technology and the Supply Chain Risk,” National Counterintelligence and Security Center, https://www.dni.gov/files/NCSC/documents/supplychain/ict-supply-chain-risk-2022-5BE169B1-.pdf
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.