Cybersecurity discussions often focus on data, digital infrastructure, and physical systems rather than people. But the human element is key when modeling cyber threats to supply chains. After all, supply chains depend on humans who are responsible for planning, gathering supplies, manufacturing, delivery, enabling sales, and all the communications and logistics in between. If humans stop working in any part of a supply chain, the supply chain stops. Now, some threats target humans as a means of getting to the supply chain system. But in other supply chain attacks, influencing humans is the end goal. Cyber leadership needs to prepare for both kinds of threats.
For starters, organizations should rethink how they categorize social engineering attacks to better account for influence operations. Often, they focus on the means attackers use to trick victims—such as phishing, vishing, technical support scams, and watering hole attacks. But simply labeling a threat as a phishing attack, for example, does not speak to the adversary’s objective. And not all such attacks are about gaining access, information, or money. Organizations need to more fully consider the ends that attackers might strive to achieve. In short, it is important to distinguish between “human-to-information” (H2I) attacks that target humans to steal data that attackers can act on and “information-to-human” (I2H) attacks that use misinformation or disinformation to influence the behavior of individuals.
Both H2I and I2H attacks involve social engineering, but cybersecurity professionals tend to focus on H2I. The most common H2I attacks on supply chains include email spoofing and vendor/business email compromise (VEC or BEC), usually aimed at supply chain managers to gain access to contact and financial information for different partner companies. According to analyses from Microsoft Threat Intelligence Center, one prominent H2I social engineering example is the SolarWinds supply chain attack attributed to Nobelium/Cozy Bear.
Professionals in information operations, information warfare, psychological operations, and strategic communications, on the other hand, tend to focus on I2H social engineering attacks. Attacks of this type against critical supply chain workers include misinformation and disinformation in different mediums such as social media and instant messaging apps. For example, disinformation about COVID-19 vaccines pushed both by foreign and domestic perpetrators led to U.S. military discharges, trucker convoys blockading supply chain routes, port-worker slowdowns, and increased tensions between workers with differing views on vaccinations.
In addition, keep in mind that social engineering attacks—both H2I and I2H—have corrosive effects on trust. For instance, these attacks can be a lot more sophisticated than the public realizes, so there can be a tendency to blame individual victims of social engineering schemes in a way that might not happen, say, to a company attacked via a zero-day vulnerability. Trust is the glue to all relationships in business, society, and democracy—and U.S. adversaries know it. As geopolitical tensions continue to rise, organizations should expect advanced threat actors to increasingly target trust through cyber, soft power, and other non-kinetic means.