Cyber Supply Chain Attacks

• September 2022
• Esther Kern, Alexander Szanto

• Number 10 Policy Paper
• CyberFactory#1

A chain is only as strong as its weakest link. This phrase is often heard when talking about the level of security of supply chains. However, many companies do not have an overview of the large number of interfaces with suppliers. As a result, complex supply chains are vulnerable to digital threats. Cybercriminals, state actors, and state-sponsored hackers have long sought to infiltrate trusted third parties in supply chains and use them as gateways to their original targets or as “spreaders,” for replicating ransomware, for example.

In this BIGS Policy Paper, Esther Kern and Alexander Szanto examine attacks on supply chains in more detail and attempt to provide a systemic insight into this area. First, the initial situation is briefly explained as well as a conceptual differentiation between targeted attacks and distributed attacks (chapter 2). Then, for each form of cyber incident, two case studies are presented (chapter 3). This is followed by the econometric analysis, which first introduces the methodological approach of event studies and the underlying data sources before explaining the results and resulting findings (Chapter 4). Finally, the results of the analysis are incorporated into recommendations for action (Chapter 5).

This study thus aimed to use econometric analysis to quantify the damage of cyber incidents to companies and vividly illustrate these for targeted and distributed attacks in each case study. Although the results of the damage to publicly traded companies may seem ambiguous at first glance, damage can be immense, as some annual reports make clear. The policy paper is intended to create greater awareness of the risks posed by the degree of interconnectedness as part of a supply chain and to support companies’ risk analysis with concrete figures and options for action.