2021 - The Year of Supply Chain (Vendor) Management

Written By Hosch & Morris

Privacy Plus+

Privacy, Technology and Perspective 

2021:  The Year of Supply Chain (Vendor) Management.  This week, we provide our privacy / cyber prediction for 2021.  2018 was the “Year of GDPR.” 2019 was the “Year of CCPA.” 2020 the “Year of Compliance in the Middle of a Pandemic” What will 2021 be?

We predict 2021 will be the “Year of Supply Chain (Vendor) Management.”

Why?  Because we believe the SolarWinds attack is far more serious than today’s news coverage reflects.  If you would like to read more about the attack, we would direct you to our previous post, available at the following link:

https://www.hoschmorris.com/privacy-plus-news/solarwinds-supply-chain-hack

At this writing, all eyes are on the U.S. Capitol, and the unthinkable outrages that occurred there this week.  Meanwhile, the full extent of the SolarWinds attack remains undetermined, but it is decidedly severe and pervasive, devastating U.S. government and commercial networks.  Thoughtful analysts believe that its scale is likely to have been far greater – and to carry with it far deadlier consequences – even than what has been publicly reported to date.  

The reason is that SolarWinds was a major vendor to network owners throughout the United States and beyond – a major link in their cybersecurity supply chains. The hackers slipped malware into a SolarWinds software update.  When SolarWinds clients downloaded the update, the download allowed the hackers remote access to the clients’ networks.

The Cybersecurity and Infrastructure Security Agency has a wealth of information on the SolarWinds breach and its implications.  For information on this and supply-chain security generally, click on the following link:

https://www.cisa.gov/supply-chain-compromise

Not even the federal courts are immune.  In fact, this week, the Administrative Office (AO) of the U.S. Courts announced that SolarWinds may have compromised highly sensitive documents, such as sealed records.  The Judicial Conference further warned that such documents should not be uploaded to the federal judiciary’s Case Management / Electronic Case Files (CM/ECF) at all, but they should be hand-carried in thumb drives or paper copies while an audit of apparent vulnerabilities proceeds.  For information, click on the following link:

https://www.uscourts.gov/news/2021/01/06/judiciary-addresses-cybersecurity-breach-extra-safeguards-protect-sensitive-court

The lesson of SolarWinds is plain. It will not be enough to address your organization’s own systems, and rest on contractual assurances from your supply chain’s vendors. It may not even be enough to require your vendors to fill out elaborate due diligence questionnaires.  After SolarWinds, we expect to see increasing attention to active, participatory measures between customers and their vendors, to validate and continually monitor security up and down the supply chain. 

…Making 2021 to be the Year of Supply Chain (Vendor) Management. 

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

Hosch & Morris https://hoschmorris.com
Previous

Don’t Take Analytics for Granted
Next

A Huge Software Supply Chain Attack