skip to main content
10.1145/3560835.3564552acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

Preventing or Mitigating Adversarial Supply Chain Attacks: A Legal Analysis

Published: 08 November 2022 Publication History

Abstract

The world is currently strongly connected through both the internet at large, but also the very supply chains which provide everything from food to infrastructure and technology. The supply chains are themselves vulnerable to adversarial attacks, both in a digital and physical sense, which can disrupt or at worst destroy them. In this paper, we take a look at two examples of such successful attacks to put the idea of Supply Chain Attacks into perspective, and analyse how EU and national law can prevent these attacks or otherwise punish companies which do not try to mitigate them at all possible costs. We find that the current types of national regulation are not technology specific enough, and cannot force or otherwise mandate the correct parties who could play the biggest role in preventing supply chain attacks to do everything in their power to mitigate them. But, current EU law is on the right path, and further development of this may be what is necessary to combat these large threats, as national law may fail at properly regulating companies when it comes to cybersecurity.

References

[1]
Md Abdullah Al Momin and Md Nazmul Islam. "Teleoperated Surgical Robot Security: Challenges and Solutions". en. In: Advances in Web Technologies and Engineering. Ed. by Xiali Hei. IGI Global, 2022, pp. 143--160. isbn: 978--1--79987--323--5 978--1--79987--325--9. url: http://services.igi-global.com/resolvedoi/resolve. aspx?doi=10.4018/978--1--7998--7323--5.ch009 (visited on 07/19/2022).
[2]
Nisreen Ameen et al. "Keeping customers' data secure: A cross-cultural study of cybersecurity compliance among the Gen-Mobile workforce". en. In: Computers in Human Behavior 114 (Jan. 2021), p. 106531. issn: 07475632. url: https://linkinghub.elsevier.com/retrieve/pii/S0747563220302831 (visited on 07/24/2022).
[3]
Patrick D. Anderson. "Review of Crypto Wars-The Fight for Privacy in the Digital Age: A Political History of Digital Encryption". en. In: Cryptologia (Dec. 2021), pp. 1--14. issn: 0161--1194, 1558--1586. url: https://www.tandfonline. com/doi/full/10.1080/01611194.2021.2002977 (visited on 08/04/2022).
[4]
Sergei Boeke. "National cyber crisis management: Different European approaches". en. In: Governance 31.3 (July 2018), pp. 449--464. issn: 09521895. url: https://onlinelibrary.wiley.com/doi/10.1111/gove.12309 (visited on 07/24/2022).
[5]
Tamara Bonaci et al. "To Make a Robot Secure: An Experimental Analysis of Cyber Security Threats Against Teleoperated Surgical Robots". In: (2015). _eprint: 1504.04339, pp. 1--11. url: http://arxiv.org/abs/1504.04339.
[6]
Jon Boyens et al. Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. en. Tech. rep. National Institute of Standards and Technology, Oct. 2021. . 6028 / NIST. SP . 800 - 161r1 - draft2. url: https : / / nvlpubs . nist . gov / nistpubs / SpecialPublications/NIST.SP.800--161r1-draft2.pdf (visited on 09/07/2022).
[7]
Jan-Willem Bullée and Marianne Junger. "Social Engineering". en. In: The Palgrave Handbook of International Cybercrime and Cyberdeviance. Ed. by Thomas J. Holt and Adam M. Bossler. Cham: Springer International Publishing, 2020, pp. 849--875. isbn: 978--3--319--78439- 7 978--3--319--78440--3. url: http://link.springer.com/10. 1007/978--3--319--78440--3_38 (visited on 07/19/2022).
[8]
Seth Carmody et al. "Building resilient medical technology supply chains with a software bill of materials". en. In: npj Digital Medicine 4.1 (Dec. 2021), p. 34. issn: 2398--6352. url: http://www.nature.com/articles/s41746-021-00403-w (visited on 09/07/2022).
[9]
Madeline Carr and Leonie Maria Tanczer. "UK cybersecurity industrial policy: an analysis of drivers, market failures and interventions". en. In: Journal of Cyber Policy 3.3 (Sept. 2018), pp. 430--444. issn: 2373--8871, 2373--8898. url: https: / /www. tandfonline. com / doi / full /10 .1080 /23738871 .2018.1550523 (visited on 07/24/2022).
[10]
Federica Casarosa. "Cybersecurity certification of Artificial Intelligence: a missed opportunity to coordinate between the Artificial Intelligence Act and the Cybersecurity Act". en. In: International Cybersecurity Law Review 3.1 (June 2022), pp. 115--130. issn: 2662--9720, 2662- 9739. url: https://link.springer.com/10.1365/s43439-021- 00043--6 (visited on 07/19/2022).
[11]
Scott Charney and Eric T Werner. Cyber Supply Chain Risk Management:Toward a Global Vision of Transparency and Trust. Tech. rep. Microsoft, 2011, p. 19. url: http://download. microsoft.com/download/3/8/4/384483BA- B7B3- 4F2F- 9366- E83E4C7562D6/Cyber% 20Supply%20Chain%20Risk%20Management%20white%20paper.pdf.
[12]
E. Gabriella Coleman. Coding Freedom: The Ethics and Aesthetics of Hacking. Princeton University Press, 2013.
[13]
Alessandro Creazza et al. "Who cares? Supply chain managers' perceptions regarding cyber supply chain risk management in the digital transformation era". en. In: Supply Chain Management 27.1 (2022), p. 24.
[14]
Pratim Datta. "Hannibal at the gates : Cyberwarfare & the Solarwinds sunburst hack". en. In: Journal of Information Technology Teaching Cases (Mar. 2021), p. 204388692199312. issn: 2043--8869, 2043--8869. url: http://journals.sagepub.com/ doi/10.1177/2043886921993126 (visited on 09/07/2022).
[15]
Chen Dong et al. "Hardware Trojans in Chips: A Survey for Detection and Prevention". en. In: Sensors 20.18 (Sept. 2020), p. 5165. issn: 1424--8220. url: https://www.mdpi.com/1424--8220/20/18/5165 (visited on 08/05/2022).
[16]
Charles Duan. "OF MONOPOLIES AND MONOCULTURES: THE INTERSECTION OF PATENTS AND NATIONAL SECURITY". en. In: Santa Clara High Technology Law Journal 36.4 (2020), p. 39.
[17]
Nick Economides and Ioannis Lianos. "Restrictions on Privacy and Exploitation in the Digital Economy: A Competition Law Perspective". In: CLES Research Paper Series (2019).
[18]
Shannon Eggers. "A novel approach for analyzing the nuclear supply chain cyber-attack surface". In: Nuclear Engineering and Technology 53.3 (2021). Publisher: Elsevier Ltd, pp. 879-- 887. issn: 2234358X. url: https://doi.org/10.1016/j.net.2020. 08.021.
[19]
Shannon L. Eggers. "The nuclear digital I&C system supply chain cyber-attack surface". In: Transactions of the American Nuclear Society 122.June (2020), pp. 119--122. issn: 0003018X.
[20]
J. H. Ellis. "THE HISTORY OF NON-SECRET ENCRYPTION". en. In: Cryptologia 23.3 (July 1999), pp. 267--273. issn: 0161--1194, 1558--1586. /0161- 119991887919. url: http://www.tandfonline.com/doi/abs/10.1080/0161--119991887919 (visited on 08/04/2022).
[21]
Nicolas Falliere, Liam O. Murchu, and Eric Chien. W32.Stuxnet Dossier. Tech. rep. 1.4. Symantec, 2011.
[22]
Justin O. Frosini. "Is Brexit Ripping up the Unwritten Constitution of the United Kingdom?" In: Italian Journal of Public Law 11.1 (2019).
[23]
Robert Gyenes. "A Voluntary Cybersecurity Framework Is Unworkable- Government Must Crack the Whip". In: Pittsburgh Journal of Technology Law and Policy 14.2 (2014), pp. 293--314. (Visited on 08/03/2022).
[24]
Eldar Haber and Tal Zarsky. "CYBERSECURITY FOR INFRASTRUCTURE: A CRITICAL ANALYSIS". In: Florida State University Law Review 44.2 (2017).
[25]
Z. Isadora Hellegren. "A history of crypto-discourse: encryption as a site of struggles to define internet freedom". en. In: Internet Histories 1.4 (Sept. 2017), pp. 285--311. issn: 2470--1475, 2470--1483. url: https://www.tandfonline. com/doi/full/10.1080/24701475.2017.1387466 (visited on 08/04/2022).
[26]
Johanna Jacob, Michelle Peters, and T. Andrew Yang. "Interdisciplinary Cybersecurity: Rethinking the Approach and the Process". en. In: National Cyber Summit (NCS) Research Track. Ed. by Kim-Kwang Raymond Choo, Thomas H. Morris, and Gilbert L. Peterson. Vol. 1055. Series Title: Advances in Intelligent Systems and Computing. Cham: Springer International Publishing, 2020, pp. 61--74. isbn: 978--3-030--31238--1 978--3-030--31239--8. url: http://link.springer.com/10.1007/978--3-030--31239--8_6 (visited on 08/04/2022).
[27]
Irene Kamara. Misaligned Union laws" A comparative analysis of certification in the Cybersecurity Act and the General Data Protection Regulation. en. 2021.
[28]
Ido Kilovaty. "Privatized Cybersecurity Law". en. In: SSRN Electronic Journal (2019). issn: 1556--5068. url: https://www.ssrn.com/abstract=3338155 (visited on 07/24/2022).
[29]
Kazukuni Kobara. "Cyber physical security for Industrial Control Systems and IoT". In: IEICE Transactions on Information and Systems E99D.4 (2016), pp. 787--795. issn: 17451361.
[30]
Heli Korkka-Knuts. "Behaviourally informed approach to corporate criminal law: Ethicality as efficiency". en. In: Bergen Journal of Criminal Law & Criminal Justice 10.1 (May 2022), p. 30. issn: 1894--4183. url: https://boap.uib.no/index.php/ BJCLCJ/article/view/3689 (visited on 09/06/2022).
[31]
Elizabeth LaGreca and Chutima Boonthum-Denecke. "Survey on the Insecurity of the Internet of Things". en. In: 13th International Workshop on Agents and Data Mining Interaction. 2017, p. 3.
[32]
Nancy G. Leveson. Safeware: System Safety and Computers. 1. Addison-Wesley Publishing Company, Inc., 1995. isbn: 0--201--11972--2.
[33]
Robert Luskin. ?'Caring about Corporate 'Due Care': Why Criminal Respondeat Superior Liability Outreaches Its Justification". en. In: American Criminal Law Review 57.2 (2020), p. 29.
[34]
Massimo Marelli. "The SolarWinds hack: Lessons for international humanitarian organizations". en. In: International Review of the Red Cross 104.919 (Apr. 2022), pp. 1267--1284. issn: 1816--3831, 1607--5889. url: https://www.cambridge.org/ core/product/identifier/S1816383122000194/type/journal_article (visited on 07/19/2022).
[35]
Fabio Massacci et al. "Economic Impacts of Rules- versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers". In: IEEE Security & Privacy 14.3 (May 2016), pp. 52--60. (Visited on 08/04/2022).
[36]
Per HÁkon Meland et al. "A Retrospective Analysis of Maritime Cyber Security Incidents". en. In: TransNav, the International Journal on Marine Navigation and Safety of Sea Transportation 15.3 (2021), pp. 519--530. issn: 2083--6473. /1001.15.03.04. url: http: / /www. transnav.eu /Article_A_Retrospective_Analysis_ of_Maritime_Cyber_ Security_Incidents_Meland,59,1144.html (visited on 08/05/2022).
[37]
John F Miller. Supply Chain Attack Framework and Attack Patterns. Tech. rep. December 2013. MITRE, 2013, p. 86. url: https://apps.dtic.mil/sti/pdfs/ADA610495.pdf.
[38]
Javier de las Morenas et al. "Security Experiences in IoT based applications for Building and Factory Automation". en. In: 2020 IEEE International Conference on Industrial Technology (ICIT). Buenos Aires, Argentina: IEEE, Feb. 2020, pp. 322--327. isbn: 978--1--72815--754--2. url: https://ieeexplore.ieee.org/document/9067229/ (visited on 07/25/2022).
[39]
H D Nguyen et al. "Industrial Internet of Things, Big Data, and Artificial Intelligence in the Smart Factory: a survey and perspective". en. In: (2019), p. 6.
[40]
NSF. Cyber-Physical Systems. Tech. rep. National Science Foundation, 2014, pp. 1--20.
[41]
Pat O'Malley. "Theorizing fines". en. In: Punishment & Society 11.1 (Jan. 2009), pp. 67--83. issn: 1462--4745, 1741--3095. url: http://journals.sagepub. com/doi/10.1177/1462474508098133 (visited on 07/19/2022).
[42]
Milana Pisaric. "Communications Encryption as an Investigative Obstacle". en. In: Journal of Criminology and Criminal Law 60.1 (2022), pp. 61--74. (Visited on 08/04/2022).
[43]
PricewaterhouseCoopers. Conti cyber attack on the HSE. Independent Post Incident Review. HSE Board in conjunction with the CEO and Executive Management Team, Dec. 2021.
[44]
Melinda Reed, John F Miller, and Paul Popick. Supply Chain Attack Patterns : Framework and Catalog. Tech. rep. OFFICE OF THE DEPUTY ASSISTANT SECRETARY OF DEFENSE FOR SYSTEMS ENGINEERING, 2014, p. 88. url: https://citeseerx.ist.psu.edu/viewdoc/ download?doi=10.1.1.648.6043&rep=rep1&type=pdf.
[45]
Shanto Roy et al. "Survey and Taxonomy of Adversarial Reconnaissance Techniques". en. In: ACM Computing Surveys (May 2022), p. 3538704. issn: 0360-0300, 1557--7341. url: https://dl.acm.org/doi/10.1145/3538704.
[46]
Jukka Ruohonen. "An Acid Test for Europeanization: Public Cyber Security Procurement in the European Union". en. In: European Journal for Security Research 5.2 (Oct. 2020), pp. 349--377. issn: 2365-0931, 2365--1695. 019- 00053- w. url: http: //link.springer.com/10.1007/s41125-019-00053-w (visited on 09/07/2022).
[47]
The Rt Hon Lord Scarman. "Human Rights in an Unwritten Constitution". en. In: The Denning Law Journal 2.1 (Oct. 2012), pp. 129--135. issn: 0269--1922. url: http://www.ubplj.org/index.php/dlj/article/view/163 (visited on 08/03/2022).
[48]
J Shackelford, Scott Russell, and Jeffrey Haut. "BOTTOMS UP: A COMPARISON OF "VOLUNTARY" CYBERSECURITY FRAMEWORKS". en. In: 16 (2016), p. 45.
[49]
W Allen Spurgeon and Terence P Fagan. "Criminal Liability for Life-Endangering Corporate Conduct". en. In: Journal of Criminal Law and Criminology 72.2 (1981), p. 35.
[50]
Jake Sullivan and Brian Deese. Executive Order on America's Supply Chains: A Year of Action and Progresss. Tech. rep. White House, 2022, cyber. url: https://www.whitehouse.gov/wpcontent/uploads/2022/02/Capstone-Report-Biden.pdf.
[51]
Hatma Suryotrisongko and Yasuo Musashi. "Review of Cybersecurity Research Topics, Taxonomy and Challenges: Interdisciplinary Perspective". en. In: Kaohsiung, Taiwan: IEEE, Nov. 2019, pp. 162--167. (Visited on 08/04/2022)

Cited By

View all
  • (2024)An innovative GPT-based open-source intelligence using historical cyber incident reportsNatural Language Processing Journal10.1016/j.nlp.2024.1000747(100074)Online publication date: Jun-2024
  • (2023)State of the Art Different Security Challenges, Solutions on Supply Chain: A Review2023 International Conference on Innovative Data Communication Technologies and Application (ICIDCA)10.1109/ICIDCA56705.2023.10099966(427-431)Online publication date: 14-Mar-2023
  • (2023)Uncovering Software Supply Chains Vulnerability: A Review of Attack Vectors, Stakeholders, and Regulatory Frameworks2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00281(1816-1821)Online publication date: Jun-2023

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses
November 2022
121 pages
ISBN:9781450398855
DOI:10.1145/3560835
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 November 2022

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. cybersecurity
  2. danish law
  3. eu law
  4. irish law
  5. supply chain attacks
  6. supply chains
  7. uk law

Qualifiers

  • Research-article

Funding Sources

  • PETRAS

Conference

CCS '22
Sponsor:

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)143
  • Downloads (Last 6 weeks)18
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)An innovative GPT-based open-source intelligence using historical cyber incident reportsNatural Language Processing Journal10.1016/j.nlp.2024.1000747(100074)Online publication date: Jun-2024
  • (2023)State of the Art Different Security Challenges, Solutions on Supply Chain: A Review2023 International Conference on Innovative Data Communication Technologies and Application (ICIDCA)10.1109/ICIDCA56705.2023.10099966(427-431)Online publication date: 14-Mar-2023
  • (2023)Uncovering Software Supply Chains Vulnerability: A Review of Attack Vectors, Stakeholders, and Regulatory Frameworks2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00281(1816-1821)Online publication date: Jun-2023

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media