ABSTRACT
The world is currently strongly connected through both the internet at large, but also the very supply chains which provide everything from food to infrastructure and technology. The supply chains are themselves vulnerable to adversarial attacks, both in a digital and physical sense, which can disrupt or at worst destroy them. In this paper, we take a look at two examples of such successful attacks to put the idea of Supply Chain Attacks into perspective, and analyse how EU and national law can prevent these attacks or otherwise punish companies which do not try to mitigate them at all possible costs. We find that the current types of national regulation are not technology specific enough, and cannot force or otherwise mandate the correct parties who could play the biggest role in preventing supply chain attacks to do everything in their power to mitigate them. But, current EU law is on the right path, and further development of this may be what is necessary to combat these large threats, as national law may fail at properly regulating companies when it comes to cybersecurity.
- Md Abdullah Al Momin and Md Nazmul Islam. "Teleoperated Surgical Robot Security: Challenges and Solutions". en. In: Advances in Web Technologies and Engineering. Ed. by Xiali Hei. IGI Global, 2022, pp. 143--160. isbn: 978--1--79987--323--5 978--1--79987--325--9. doi: 10.4018/978--1--7998--7323--5.ch009. url: http://services.igi-global.com/resolvedoi/resolve. aspx?doi=10.4018/978--1--7998--7323--5.ch009 (visited on 07/19/2022).Google ScholarCross Ref
- Nisreen Ameen et al. "Keeping customers' data secure: A cross-cultural study of cybersecurity compliance among the Gen-Mobile workforce". en. In: Computers in Human Behavior 114 (Jan. 2021), p. 106531. issn: 07475632. doi: 10.1016/j.chb.2020.106531. url: https://linkinghub.elsevier.com/retrieve/pii/S0747563220302831 (visited on 07/24/2022).Google ScholarDigital Library
- Patrick D. Anderson. "Review of Crypto Wars-The Fight for Privacy in the Digital Age: A Political History of Digital Encryption". en. In: Cryptologia (Dec. 2021), pp. 1--14. issn: 0161--1194, 1558--1586. doi: 10.1080/01611194.2021.2002977. url: https://www.tandfonline. com/doi/full/10.1080/01611194.2021.2002977 (visited on 08/04/2022).Google ScholarCross Ref
- Sergei Boeke. "National cyber crisis management: Different European approaches". en. In: Governance 31.3 (July 2018), pp. 449--464. issn: 09521895. doi: 10.1111/gove.12309. url: https://onlinelibrary.wiley.com/doi/10.1111/gove.12309 (visited on 07/24/2022).Google ScholarCross Ref
- Tamara Bonaci et al. "To Make a Robot Secure: An Experimental Analysis of Cyber Security Threats Against Teleoperated Surgical Robots". In: (2015). _eprint: 1504.04339, pp. 1--11. url: http://arxiv.org/abs/1504.04339.Google Scholar
- Jon Boyens et al. Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. en. Tech. rep. National Institute of Standards and Technology, Oct. 2021. doi: 10 . 6028 / NIST. SP . 800 - 161r1 - draft2. url: https : / / nvlpubs . nist . gov / nistpubs / SpecialPublications/NIST.SP.800--161r1-draft2.pdf (visited on 09/07/2022).Google ScholarCross Ref
- Jan-Willem Bullée and Marianne Junger. "Social Engineering". en. In: The Palgrave Handbook of International Cybercrime and Cyberdeviance. Ed. by Thomas J. Holt and Adam M. Bossler. Cham: Springer International Publishing, 2020, pp. 849--875. isbn: 978--3--319--78439- 7 978--3--319--78440--3. doi: 10.1007/978--3--319--78440--3_38. url: http://link.springer.com/10. 1007/978--3--319--78440--3_38 (visited on 07/19/2022).Google ScholarCross Ref
- Seth Carmody et al. "Building resilient medical technology supply chains with a software bill of materials". en. In: npj Digital Medicine 4.1 (Dec. 2021), p. 34. issn: 2398--6352. doi: 10.1038/s41746-021-00403-w. url: http://www.nature.com/articles/s41746-021-00403-w (visited on 09/07/2022).Google ScholarCross Ref
- Madeline Carr and Leonie Maria Tanczer. "UK cybersecurity industrial policy: an analysis of drivers, market failures and interventions". en. In: Journal of Cyber Policy 3.3 (Sept. 2018), pp. 430--444. issn: 2373--8871, 2373--8898. doi: 10.1080/23738871.2018.1550523. url: https: / /www. tandfonline. com / doi / full /10 .1080 /23738871 .2018.1550523 (visited on 07/24/2022).Google ScholarCross Ref
- Federica Casarosa. "Cybersecurity certification of Artificial Intelligence: a missed opportunity to coordinate between the Artificial Intelligence Act and the Cybersecurity Act". en. In: International Cybersecurity Law Review 3.1 (June 2022), pp. 115--130. issn: 2662--9720, 2662- 9739. doi: 10.1365/s43439-021-00043--6. url: https://link.springer.com/10.1365/s43439-021- 00043--6 (visited on 07/19/2022).Google ScholarCross Ref
- Scott Charney and Eric T Werner. Cyber Supply Chain Risk Management:Toward a Global Vision of Transparency and Trust. Tech. rep. Microsoft, 2011, p. 19. url: http://download. microsoft.com/download/3/8/4/384483BA- B7B3- 4F2F- 9366- E83E4C7562D6/Cyber% 20Supply%20Chain%20Risk%20Management%20white%20paper.pdf.Google Scholar
- E. Gabriella Coleman. Coding Freedom: The Ethics and Aesthetics of Hacking. Princeton University Press, 2013. doi: https://doi.org/10.1515/9781400845293.Google ScholarCross Ref
- Alessandro Creazza et al. "Who cares? Supply chain managers' perceptions regarding cyber supply chain risk management in the digital transformation era". en. In: Supply Chain Management 27.1 (2022), p. 24.Google Scholar
- Pratim Datta. "Hannibal at the gates : Cyberwarfare & the Solarwinds sunburst hack". en. In: Journal of Information Technology Teaching Cases (Mar. 2021), p. 204388692199312. issn: 2043--8869, 2043--8869. doi: 10.1177/2043886921993126. url: http://journals.sagepub.com/ doi/10.1177/2043886921993126 (visited on 09/07/2022).Google ScholarCross Ref
- Chen Dong et al. "Hardware Trojans in Chips: A Survey for Detection and Prevention". en. In: Sensors 20.18 (Sept. 2020), p. 5165. issn: 1424--8220. doi: 10.3390/s20185165. url: https://www.mdpi.com/1424--8220/20/18/5165 (visited on 08/05/2022).Google ScholarCross Ref
- Charles Duan. "OF MONOPOLIES AND MONOCULTURES: THE INTERSECTION OF PATENTS AND NATIONAL SECURITY". en. In: Santa Clara High Technology Law Journal 36.4 (2020), p. 39.Google Scholar
- Nick Economides and Ioannis Lianos. "Restrictions on Privacy and Exploitation in the Digital Economy: A Competition Law Perspective". In: CLES Research Paper Series (2019).Google Scholar
- Shannon Eggers. "A novel approach for analyzing the nuclear supply chain cyber-attack surface". In: Nuclear Engineering and Technology 53.3 (2021). Publisher: Elsevier Ltd, pp. 879-- 887. issn: 2234358X. doi: 10.1016/j.net.2020.08.021. url: https://doi.org/10.1016/j.net.2020. 08.021.Google ScholarCross Ref
- Shannon L. Eggers. "The nuclear digital I&C system supply chain cyber-attack surface". In: Transactions of the American Nuclear Society 122.June (2020), pp. 119--122. issn: 0003018X. doi: 10.13182/T122--32483.Google ScholarCross Ref
- J. H. Ellis. "THE HISTORY OF NON-SECRET ENCRYPTION". en. In: Cryptologia 23.3 (July 1999), pp. 267--273. issn: 0161--1194, 1558--1586. doi: 10.1080 /0161- 119991887919. url: http://www.tandfonline.com/doi/abs/10.1080/0161--119991887919 (visited on 08/04/2022).Google Scholar
- Nicolas Falliere, Liam O. Murchu, and Eric Chien. W32.Stuxnet Dossier. Tech. rep. 1.4. Symantec, 2011.Google Scholar
- Justin O. Frosini. "Is Brexit Ripping up the Unwritten Constitution of the United Kingdom?" In: Italian Journal of Public Law 11.1 (2019).Google Scholar
- Robert Gyenes. "A Voluntary Cybersecurity Framework Is Unworkable- Government Must Crack the Whip". In: Pittsburgh Journal of Technology Law and Policy 14.2 (2014), pp. 293--314. (Visited on 08/03/2022).Google ScholarCross Ref
- Eldar Haber and Tal Zarsky. "CYBERSECURITY FOR INFRASTRUCTURE: A CRITICAL ANALYSIS". In: Florida State University Law Review 44.2 (2017).Google Scholar
- Z. Isadora Hellegren. "A history of crypto-discourse: encryption as a site of struggles to define internet freedom". en. In: Internet Histories 1.4 (Sept. 2017), pp. 285--311. issn: 2470--1475, 2470--1483. doi: 10.1080/24701475.2017.1387466. url: https://www.tandfonline. com/doi/full/10.1080/24701475.2017.1387466 (visited on 08/04/2022).Google ScholarCross Ref
- Johanna Jacob, Michelle Peters, and T. Andrew Yang. "Interdisciplinary Cybersecurity: Rethinking the Approach and the Process". en. In: National Cyber Summit (NCS) Research Track. Ed. by Kim-Kwang Raymond Choo, Thomas H. Morris, and Gilbert L. Peterson. Vol. 1055. Series Title: Advances in Intelligent Systems and Computing. Cham: Springer International Publishing, 2020, pp. 61--74. isbn: 978--3-030--31238--1 978--3-030--31239--8. doi: 10.1007/978--3-030--31239--8_6. url: http://link.springer.com/10.1007/978--3-030--31239--8_6 (visited on 08/04/2022).Google ScholarCross Ref
- Irene Kamara. Misaligned Union laws" A comparative analysis of certification in the Cybersecurity Act and the General Data Protection Regulation. en. 2021.Google Scholar
- Ido Kilovaty. "Privatized Cybersecurity Law". en. In: SSRN Electronic Journal (2019). issn: 1556--5068. doi: 10.2139/ssrn.3338155. url: https://www.ssrn.com/abstract=3338155 (visited on 07/24/2022).Google ScholarCross Ref
- Kazukuni Kobara. "Cyber physical security for Industrial Control Systems and IoT". In: IEICE Transactions on Information and Systems E99D.4 (2016), pp. 787--795. issn: 17451361. doi: 10.1587/transinf.2015ICI0001.Google ScholarCross Ref
- Heli Korkka-Knuts. "Behaviourally informed approach to corporate criminal law: Ethicality as efficiency". en. In: Bergen Journal of Criminal Law & Criminal Justice 10.1 (May 2022), p. 30. issn: 1894--4183. doi: 10.15845/bjclcj.v10i1.3689. url: https://boap.uib.no/index.php/ BJCLCJ/article/view/3689 (visited on 09/06/2022).Google ScholarCross Ref
- Elizabeth LaGreca and Chutima Boonthum-Denecke. "Survey on the Insecurity of the Internet of Things". en. In: 13th International Workshop on Agents and Data Mining Interaction. 2017, p. 3.Google Scholar
- Nancy G. Leveson. Safeware: System Safety and Computers. 1. Addison-Wesley Publishing Company, Inc., 1995. isbn: 0--201--11972--2.Google ScholarDigital Library
- Robert Luskin. ?'Caring about Corporate 'Due Care': Why Criminal Respondeat Superior Liability Outreaches Its Justification". en. In: American Criminal Law Review 57.2 (2020), p. 29.Google Scholar
- Massimo Marelli. "The SolarWinds hack: Lessons for international humanitarian organizations". en. In: International Review of the Red Cross 104.919 (Apr. 2022), pp. 1267--1284. issn: 1816--3831, 1607--5889. doi: 10.1017/S1816383122000194. url: https://www.cambridge.org/ core/product/identifier/S1816383122000194/type/journal_article (visited on 07/19/2022).Google ScholarCross Ref
- Fabio Massacci et al. "Economic Impacts of Rules- versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers". In: IEEE Security & Privacy 14.3 (May 2016), pp. 52--60. (Visited on 08/04/2022).Google ScholarDigital Library
- Per HÁkon Meland et al. "A Retrospective Analysis of Maritime Cyber Security Incidents". en. In: TransNav, the International Journal on Marine Navigation and Safety of Sea Transportation 15.3 (2021), pp. 519--530. issn: 2083--6473. doi: 10.12716 /1001.15.03.04. url: http: / /www. transnav.eu /Article_A_Retrospective_Analysis_ of_Maritime_Cyber_ Security_Incidents_Meland,59,1144.html (visited on 08/05/2022).Google Scholar
- John F Miller. Supply Chain Attack Framework and Attack Patterns. Tech. rep. December 2013. MITRE, 2013, p. 86. url: https://apps.dtic.mil/sti/pdfs/ADA610495.pdf.Google Scholar
- Javier de las Morenas et al. "Security Experiences in IoT based applications for Building and Factory Automation". en. In: 2020 IEEE International Conference on Industrial Technology (ICIT). Buenos Aires, Argentina: IEEE, Feb. 2020, pp. 322--327. isbn: 978--1--72815--754--2. doi: 10.1109/ICIT45562.2020.9067229. url: https://ieeexplore.ieee.org/document/9067229/ (visited on 07/25/2022).Google ScholarCross Ref
- H D Nguyen et al. "Industrial Internet of Things, Big Data, and Artificial Intelligence in the Smart Factory: a survey and perspective". en. In: (2019), p. 6.Google Scholar
- NSF. Cyber-Physical Systems. Tech. rep. National Science Foundation, 2014, pp. 1--20.Google Scholar
- Pat O'Malley. "Theorizing fines". en. In: Punishment & Society 11.1 (Jan. 2009), pp. 67--83. issn: 1462--4745, 1741--3095. doi: 10.1177/1462474508098133. url: http://journals.sagepub. com/doi/10.1177/1462474508098133 (visited on 07/19/2022).Google ScholarCross Ref
- Milana Pisaric. "Communications Encryption as an Investigative Obstacle". en. In: Journal of Criminology and Criminal Law 60.1 (2022), pp. 61--74. (Visited on 08/04/2022).Google Scholar
- PricewaterhouseCoopers. Conti cyber attack on the HSE. Independent Post Incident Review. HSE Board in conjunction with the CEO and Executive Management Team, Dec. 2021.Google Scholar
- Melinda Reed, John F Miller, and Paul Popick. Supply Chain Attack Patterns : Framework and Catalog. Tech. rep. OFFICE OF THE DEPUTY ASSISTANT SECRETARY OF DEFENSE FOR SYSTEMS ENGINEERING, 2014, p. 88. url: https://citeseerx.ist.psu.edu/viewdoc/ download?doi=10.1.1.648.6043&rep=rep1&type=pdf.Google Scholar
- Shanto Roy et al. "Survey and Taxonomy of Adversarial Reconnaissance Techniques". en. In: ACM Computing Surveys (May 2022), p. 3538704. issn: 0360-0300, 1557--7341. doi: 10.1145/3538704. url: https://dl.acm.org/doi/10.1145/3538704.Google ScholarDigital Library
- Jukka Ruohonen. "An Acid Test for Europeanization: Public Cyber Security Procurement in the European Union". en. In: European Journal for Security Research 5.2 (Oct. 2020), pp. 349--377. issn: 2365-0931, 2365--1695. doi: 10.1007/s41125- 019- 00053- w. url: http: //link.springer.com/10.1007/s41125-019-00053-w (visited on 09/07/2022).Google ScholarCross Ref
- The Rt Hon Lord Scarman. "Human Rights in an Unwritten Constitution". en. In: The Denning Law Journal 2.1 (Oct. 2012), pp. 129--135. issn: 0269--1922. doi: 10.5750/dlj.v2i1.163. url: http://www.ubplj.org/index.php/dlj/article/view/163 (visited on 08/03/2022).Google ScholarCross Ref
- J Shackelford, Scott Russell, and Jeffrey Haut. "BOTTOMS UP: A COMPARISON OF "VOLUNTARY" CYBERSECURITY FRAMEWORKS". en. In: 16 (2016), p. 45.Google Scholar
- W Allen Spurgeon and Terence P Fagan. "Criminal Liability for Life-Endangering Corporate Conduct". en. In: Journal of Criminal Law and Criminology 72.2 (1981), p. 35.Google Scholar
- Jake Sullivan and Brian Deese. Executive Order on America's Supply Chains: A Year of Action and Progresss. Tech. rep. White House, 2022, cyber. url: https://www.whitehouse.gov/wpcontent/uploads/2022/02/Capstone-Report-Biden.pdf.Google Scholar
- Hatma Suryotrisongko and Yasuo Musashi. "Review of Cybersecurity Research Topics, Taxonomy and Challenges: Interdisciplinary Perspective". en. In: Kaohsiung, Taiwan: IEEE, Nov. 2019, pp. 162--167. (Visited on 08/04/2022)Google Scholar
Index Terms
- Preventing or Mitigating Adversarial Supply Chain Attacks: A Legal Analysis
Recommendations
Risk Explorer for Software Supply Chains: Understanding the Attack Surface of Open-Source based Software Development
SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem DefensesSupply chain attacks on open-source projects aim at injecting and spreading malicious code such that it is executed by direct and indirect downstream users. Recent work systematized the knowledge about such attacks and proposed a taxonomy in the form of ...
A survey on the use of blockchains to achieve supply chain security
AbstractSupply chain networks are becoming more complex and vulnerable to various attacks. We must tackle these attacks properly to ensure the required supply chain security. In this paper, I have classified major supply chain security issues ...
Highlights- Comparison of other blockchain related works and my work.
- Noteworthy supply ...
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Comments