现代软件开发的性质使得很难知道代码的实际编写位置和编写者。 (The nature of modern software development makes it hard to know where code was actually written and by whom.)

DECEMBER 16, 2019 ROBERT HANNIGAN

2019年12月16日， 罗伯特·汉尼根

Robert Hannigan chairs the international division of BlueVoyant, a cybersecurity company. Until 2017 he was the director of GCHQ, the U.K. signals intelligence agency, and he established the country’s National Cyber Security Center. He is a senior fellow at Harvard’s Belfer Center for Science and International Affairs.

Robert Hannigan主持网络安全公司BlueVoyant的国际部门。 直到2017年，他一直担任英国信号情报机构GCHQ的负责人，并建立了该国的国家网络安全中心。 他是哈佛大学贝尔弗科学与国际事务中心的高级研究员。

This summer, Elizabeth Denham, the U.K.’s information commissioner, issued an important ruling that sent quiet shockwaves through European corporate boardrooms. The ruling effectively expanded the responsibility of companies in relation to their software and technology supply chains.

今年夏天，英国新闻专员伊丽莎白·丹纳姆(Elizabeth Denham)发布了一项重要裁决，该裁决在欧洲公司董事会席卷了悄悄的冲击波。 该裁决有效地扩大了公司在软件和技术供应链方面的责任。

The key development came from the fallout of the Marriott data breach, announced by the company almost exactly a year ago. The data loss itself, albeit a large one involving the personal and financial data — including names, addresses, credit card information, passport numbers and travel plans — of some 380 million customers across many countries, might once have been greeted with a shrug, embarrassing to the company’s reputation but just another in a list of similar breaches that customers are becoming wearily familiar with.

关键的发展来自该公司几乎在一年前宣布的万豪数据泄露的后果。 数据丢失本身，尽管涉及许多国家/地区约3.8亿客户的个人和财务数据(包括姓名，地址，信用卡信息，护照号码和旅行计划)，虽然损失很大，但曾经可能令您感到耸耸肩，尴尬损害了公司的声誉，但在客户逐渐感到疲倦的类似违规行为列表中，这只是另一个。

Yet the consequences of this attack are just beginning to unfold. The company faces multiple lawsuits in the U.S. and other jurisdictions. Accenture, to which Starwood, a Marriott subsidiary, and subsequently Marriott itself outsourced much of their IT operations, is also the subject of litigation.

然而，这种攻击的后果才刚刚开始显现。 该公司在美国和其他司法管辖区面临多重诉讼。 埃森哲(Accenture)也是诉讼对象，万豪子公司喜达屋(Starwood)和万豪后来将其自己的许多IT运营外包给了埃森哲(Accenture)。

“传统的投资，尽职调查和风险评估流程需要赶上网络威胁的速度和复杂程度。” (“Traditional investment, due diligence and risk assessment processes need to catch up with the speed and sophistication of cyber threats.”)

Denham announced in July that she intended to impose a fine of $123 million on the hotel group. While this is not a trivial amount for any company to face, the wider impact came in the report itself. Denham judged that the fine was appropriate because “Marriott failed to undertake sufficient due diligence when it bought Starwood.” In short, Marriott had acquired a company that had already been severely compromised by hackers, probably in 2014, and only spotted the breach two years after the integration of Starwood and the cross-infection of the wider group.

丹纳姆(Denham)在7月宣布，她打算对该酒店集团处以1.23亿美元的罚款。 尽管这对于任何一家公司来说都不是一件小事，但更广泛的影响来自于报告本身。 德纳姆认为罚款是适当的，因为“万豪在收购喜达屋时未进行充分的尽职调查。” 简而言之，万豪收购了一家公司，该公司可能已在2014年受到黑客的严重破坏，并且仅在喜达屋合并和更广泛的集团交叉感染两年后才发现该漏洞。

The regulator appears to be saying what ought to be obvious: traditional investment, due diligence and risk assessment processes need to catch up with the speed and sophistication of cyber threats. The data rooms of the future will need a much richer picture of cyber data and what it can tell us about a company’s relative cybersecurity readiness, what needs to be done to remediate the extant cyber risks and how much this will cost.

监管机构似乎在说什么应该是显而易见的：传统的投资，尽职调查和风险评估流程需要赶上网络威胁的速度和复杂程度。 未来的数据室将需要更加丰富的网络数据图，它可以告诉我们公司的相对网络安全准备情况，需要采取什么措施来补救现有的网络风险以及这将花费多少。

But due diligence in cyber is not only a concern for mergers and acquisitions. The same attempt to assess unquantified cyber risk is worrying every major company, especially in financial services, which understands this better than any sector. Even the best-protected institutions are increasingly aware that the thousands of vendors and suppliers connected to them are potential vectors for attack — weak links in their shields. As defenses are hardened, cybercrime groups are looking for poorly defended parts of the supply chain as an ideal way in. From IT providers to law firms and small investment houses to recruitment agencies, suppliers are a popular route for these attackers. Financial regulators, too, are increasingly focused on how to measure the cyber risk presented by individual banks to the wider system, both in the interests of systemic resilience and consumer protection.

但是，对网络的尽职调查不仅是并购的关注点。 评估未量化网络风险的相同尝试使每家主要公司都感到担忧，尤其是在金融服务领域，这比任何行业都更加了解。 甚至受到最受保护的机构也越来越意识到，与其联系的成千上万的供应商和供应商是潜在的攻击载体，它们之间的联系薄弱。 随着防御措施的加强，网络犯罪集团正在寻找供应链中防御不力的部分作为理想的方法。从IT提供商到律师事务所，从小型投资公司到招聘机构，供应商是这些攻击者的流行之路。 为了系统弹性和保护消费者，金融监管机构也越来越关注于如何衡量各个银行对更广泛系统的网络风险。

“随着防御措施的加强，网络犯罪集团正在寻找供应链中防御不力的部分，这是理想的解决方案。” (“As defenses are hardened, cybercrime groups are looking for poorly defended parts of the supply chain as an ideal way in.”)

At the high end of cyber threats, notably against the defense sector, risk in the supply chain has been a major national security concern in recent years. The Department of Defense inspector general sounded the alarm in July about the inadequacy of cyber due diligence in procurement decisions, highlighting the threats from hostile nation-states that may be embedded in off-the-shelf products and household-name services.

在网络威胁的高端，尤其是对国防部门的威胁，近年来，供应链风险一直是国家安全的主要关注点。 国防部总监察长在7月发出警报，警告说在采购决策中网络尽职调查不足，突显了敌对国家的威胁，这些威胁可能会嵌入现成的产品和家喻户晓的服务中。

Situated at the critical end of the cyber-threat landscape, defense illustrates the problem of complexity: even understanding the hardware and software supply chain of a new network-enabled warship or aircraft is challenging. Thousands of companies are involved, each with a different level of access to sensitive information. It also shows that traditional methods of vetting are necessary but insufficient: even if the company flies a U.S. or allied flag, the nature of modern software development makes it hard to know where code was actually written, and by whom. And nearly all commonly available IT hardware is manufactured in China.

防御位于网络威胁领域的关键端，它说明了复杂性问题：即使了解新的基于网络的军舰或飞机的硬件和软件供应链也具有挑战性。 涉及数以千计的公司，每个公司对敏感信息的访问级别不同。 它还表明，传统的审查方法是必要的，但并不足够：即使公司悬挂美国或盟国旗帜，现代软件开发的性质也使得很难知道代码的实际编写位置和编写者。 几乎所有常用的IT硬件都是在中国制造的。

Of course, worrying about third-party risk is arguably a step forward: It points to the progress made by companies in addressing their own cyber exposure. It also suggests that we are having some success in raising the bar by hardening defenses, displacing cybercrime to softer targets. But all that will be little consolation: A piece of malware delivered through a weakly defended third party can be every bit as destructive as a spear-phishing email, with which we are all familiar, sent directly to our company.

当然，担心第三方风险可以说是向前迈出的一步：它指出了公司在解决自身网络风险方面所取得的进步。 这也表明我们通过加强防御，将网络犯罪转移到较软的目标来提高标准。 但是，所有这些都无济于事：通过一个防御不力的第三方传播的恶意软件可能与直接发送给我们公司的鱼叉式网络钓鱼电子邮件一样具有破坏性。

“现代软件开发的性质使得很难知道代码的实际编写位置以及编写者。” (“The nature of modern software development makes it hard to know where code was actually written, and by whom.”)

If we are to avoid a future in which our entire global supply chain is increasingly untrustworthy, we will need a new approach to trust and verification. For governments, this will mean regulation of cybersecurity standards, some of which is already emerging. For companies, it will not be acceptable to take the word of suppliers that their security is good, and questionnaires allowing them to mark their own homework will no longer constitute due diligence.

如果我们要避免整个全球供应链越来越不可信任的未来，我们将需要一种新的信任和验证方法。 对于政府而言，这将意味着对网络安全标准进行监管，其中一些标准已经出现。 对于公司而言，不愿让供应商说他们的安全性很好，并且允许他们标记自己的作业的调查表将不再构成尽职调查。

Instead, companies will need to look at their vendors as an attacker would: from the outside, assessing their vulnerabilities, insisting on minimum security controls and practical remediation where necessary. And they will need to monitor the performance of these suppliers regularly, rather than taking a snapshot and hoping for the best.

相反，公司将需要像攻击者那样看待他们的供应商：从外部，评估其漏洞，在必要时坚持最低限度的安全控制和实际补救。 他们将需要定期监视这些供应商的绩效，而不是快照并期望最佳。

In the cyber age, a company’s responsibility, like its attack surface, no longer stops at its own corporate boundary.

在网络时代，公司的责任，就像其攻击面一样，不再停留在自己的公司边界上。

https://www.berggruen.org/the-worldpost/articles/cracks-in-the-cyber-supply-chain/

https://www.berggruen.org/the-worldpost/articles/cracks-in-the-cyber-supply-chain/