research-article

Preventing or Mitigating Adversarial Supply Chain Attacks: A Legal Analysis

Authors:
Kaspar Rosager Ludvigsen

University of Newcastle and University of Strathclyde, Newcastle and Glasgow, United Kingdom

University of Newcastle and University of Strathclyde, Newcastle and Glasgow, United Kingdom
View Profile

,
Shishir Nagaraja

University of Newcastle, Newcastle, United Kingdom

University of Newcastle, Newcastle, United Kingdom
View Profile

,
Angela Daly

University of Dundee, Dundee, United Kingdom

University of Dundee, Dundee, United Kingdom
View Profile

SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem DefensesNovember 2022Pages 25–34https://doi.org/10.1145/3560835.3564552

Published:08 November 2022Publication History

SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

Pages 25–34

ABSTRACT

The world is currently strongly connected through both the internet at large, but also the very supply chains which provide everything from food to infrastructure and technology. The supply chains are themselves vulnerable to adversarial attacks, both in a digital and physical sense, which can disrupt or at worst destroy them. In this paper, we take a look at two examples of such successful attacks to put the idea of Supply Chain Attacks into perspective, and analyse how EU and national law can prevent these attacks or otherwise punish companies which do not try to mitigate them at all possible costs. We find that the current types of national regulation are not technology specific enough, and cannot force or otherwise mandate the correct parties who could play the biggest role in preventing supply chain attacks to do everything in their power to mitigate them. But, current EU law is on the right path, and further development of this may be what is necessary to combat these large threats, as national law may fail at properly regulating companies when it comes to cybersecurity.

References

Md Abdullah Al Momin and Md Nazmul Islam. "Teleoperated Surgical Robot Security: Challenges and Solutions". en. In: Advances in Web Technologies and Engineering. Ed. by Xiali Hei. IGI Global, 2022, pp. 143--160. isbn: 978--1--79987--323--5 978--1--79987--325--9. doi: 10.4018/978--1--7998--7323--5.ch009. url: http://services.igi-global.com/resolvedoi/resolve. aspx?doi=10.4018/978--1--7998--7323--5.ch009 (visited on 07/19/2022).Google ScholarCross Ref
Nisreen Ameen et al. "Keeping customers' data secure: A cross-cultural study of cybersecurity compliance among the Gen-Mobile workforce". en. In: Computers in Human Behavior 114 (Jan. 2021), p. 106531. issn: 07475632. doi: 10.1016/j.chb.2020.106531. url: https://linkinghub.elsevier.com/retrieve/pii/S0747563220302831 (visited on 07/24/2022).Google ScholarDigital Library
Patrick D. Anderson. "Review of Crypto Wars-The Fight for Privacy in the Digital Age: A Political History of Digital Encryption". en. In: Cryptologia (Dec. 2021), pp. 1--14. issn: 0161--1194, 1558--1586. doi: 10.1080/01611194.2021.2002977. url: https://www.tandfonline. com/doi/full/10.1080/01611194.2021.2002977 (visited on 08/04/2022).Google ScholarCross Ref
Sergei Boeke. "National cyber crisis management: Different European approaches". en. In: Governance 31.3 (July 2018), pp. 449--464. issn: 09521895. doi: 10.1111/gove.12309. url: https://onlinelibrary.wiley.com/doi/10.1111/gove.12309 (visited on 07/24/2022).Google ScholarCross Ref
Tamara Bonaci et al. "To Make a Robot Secure: An Experimental Analysis of Cyber Security Threats Against Teleoperated Surgical Robots". In: (2015). _eprint: 1504.04339, pp. 1--11. url: http://arxiv.org/abs/1504.04339.Google Scholar
Jon Boyens et al. Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. en. Tech. rep. National Institute of Standards and Technology, Oct. 2021. doi: 10 . 6028 / NIST. SP . 800 - 161r1 - draft2. url: https : / / nvlpubs . nist . gov / nistpubs / SpecialPublications/NIST.SP.800--161r1-draft2.pdf (visited on 09/07/2022).Google ScholarCross Ref
Jan-Willem Bullée and Marianne Junger. "Social Engineering". en. In: The Palgrave Handbook of International Cybercrime and Cyberdeviance. Ed. by Thomas J. Holt and Adam M. Bossler. Cham: Springer International Publishing, 2020, pp. 849--875. isbn: 978--3--319--78439- 7 978--3--319--78440--3. doi: 10.1007/978--3--319--78440--3_38. url: http://link.springer.com/10. 1007/978--3--319--78440--3_38 (visited on 07/19/2022).Google ScholarCross Ref
Seth Carmody et al. "Building resilient medical technology supply chains with a software bill of materials". en. In: npj Digital Medicine 4.1 (Dec. 2021), p. 34. issn: 2398--6352. doi: 10.1038/s41746-021-00403-w. url: http://www.nature.com/articles/s41746-021-00403-w (visited on 09/07/2022).Google ScholarCross Ref
Madeline Carr and Leonie Maria Tanczer. "UK cybersecurity industrial policy: an analysis of drivers, market failures and interventions". en. In: Journal of Cyber Policy 3.3 (Sept. 2018), pp. 430--444. issn: 2373--8871, 2373--8898. doi: 10.1080/23738871.2018.1550523. url: https: / /www. tandfonline. com / doi / full /10 .1080 /23738871 .2018.1550523 (visited on 07/24/2022).Google ScholarCross Ref
Federica Casarosa. "Cybersecurity certification of Artificial Intelligence: a missed opportunity to coordinate between the Artificial Intelligence Act and the Cybersecurity Act". en. In: International Cybersecurity Law Review 3.1 (June 2022), pp. 115--130. issn: 2662--9720, 2662- 9739. doi: 10.1365/s43439-021-00043--6. url: https://link.springer.com/10.1365/s43439-021- 00043--6 (visited on 07/19/2022).Google ScholarCross Ref
Scott Charney and Eric T Werner. Cyber Supply Chain Risk Management:Toward a Global Vision of Transparency and Trust. Tech. rep. Microsoft, 2011, p. 19. url: http://download. microsoft.com/download/3/8/4/384483BA- B7B3- 4F2F- 9366- E83E4C7562D6/Cyber% 20Supply%20Chain%20Risk%20Management%20white%20paper.pdf.Google Scholar
E. Gabriella Coleman. Coding Freedom: The Ethics and Aesthetics of Hacking. Princeton University Press, 2013. doi: https://doi.org/10.1515/9781400845293.Google ScholarCross Ref
Alessandro Creazza et al. "Who cares? Supply chain managers' perceptions regarding cyber supply chain risk management in the digital transformation era". en. In: Supply Chain Management 27.1 (2022), p. 24.Google Scholar
Pratim Datta. "Hannibal at the gates : Cyberwarfare & the Solarwinds sunburst hack". en. In: Journal of Information Technology Teaching Cases (Mar. 2021), p. 204388692199312. issn: 2043--8869, 2043--8869. doi: 10.1177/2043886921993126. url: http://journals.sagepub.com/ doi/10.1177/2043886921993126 (visited on 09/07/2022).Google ScholarCross Ref
Chen Dong et al. "Hardware Trojans in Chips: A Survey for Detection and Prevention". en. In: Sensors 20.18 (Sept. 2020), p. 5165. issn: 1424--8220. doi: 10.3390/s20185165. url: https://www.mdpi.com/1424--8220/20/18/5165 (visited on 08/05/2022).Google ScholarCross Ref
Charles Duan. "OF MONOPOLIES AND MONOCULTURES: THE INTERSECTION OF PATENTS AND NATIONAL SECURITY". en. In: Santa Clara High Technology Law Journal 36.4 (2020), p. 39.Google Scholar
Nick Economides and Ioannis Lianos. "Restrictions on Privacy and Exploitation in the Digital Economy: A Competition Law Perspective". In: CLES Research Paper Series (2019).Google Scholar
Shannon Eggers. "A novel approach for analyzing the nuclear supply chain cyber-attack surface". In: Nuclear Engineering and Technology 53.3 (2021). Publisher: Elsevier Ltd, pp. 879-- 887. issn: 2234358X. doi: 10.1016/j.net.2020.08.021. url: https://doi.org/10.1016/j.net.2020. 08.021.Google ScholarCross Ref
Shannon L. Eggers. "The nuclear digital I&C system supply chain cyber-attack surface". In: Transactions of the American Nuclear Society 122.June (2020), pp. 119--122. issn: 0003018X. doi: 10.13182/T122--32483.Google ScholarCross Ref
J. H. Ellis. "THE HISTORY OF NON-SECRET ENCRYPTION". en. In: Cryptologia 23.3 (July 1999), pp. 267--273. issn: 0161--1194, 1558--1586. doi: 10.1080 /0161- 119991887919. url: http://www.tandfonline.com/doi/abs/10.1080/0161--119991887919 (visited on 08/04/2022).Google Scholar
Nicolas Falliere, Liam O. Murchu, and Eric Chien. W32.Stuxnet Dossier. Tech. rep. 1.4. Symantec, 2011.Google Scholar
Justin O. Frosini. "Is Brexit Ripping up the Unwritten Constitution of the United Kingdom?" In: Italian Journal of Public Law 11.1 (2019).Google Scholar
Robert Gyenes. "A Voluntary Cybersecurity Framework Is Unworkable- Government Must Crack the Whip". In: Pittsburgh Journal of Technology Law and Policy 14.2 (2014), pp. 293--314. (Visited on 08/03/2022).Google ScholarCross Ref
Eldar Haber and Tal Zarsky. "CYBERSECURITY FOR INFRASTRUCTURE: A CRITICAL ANALYSIS". In: Florida State University Law Review 44.2 (2017).Google Scholar
Z. Isadora Hellegren. "A history of crypto-discourse: encryption as a site of struggles to define internet freedom". en. In: Internet Histories 1.4 (Sept. 2017), pp. 285--311. issn: 2470--1475, 2470--1483. doi: 10.1080/24701475.2017.1387466. url: https://www.tandfonline. com/doi/full/10.1080/24701475.2017.1387466 (visited on 08/04/2022).Google ScholarCross Ref
Johanna Jacob, Michelle Peters, and T. Andrew Yang. "Interdisciplinary Cybersecurity: Rethinking the Approach and the Process". en. In: National Cyber Summit (NCS) Research Track. Ed. by Kim-Kwang Raymond Choo, Thomas H. Morris, and Gilbert L. Peterson. Vol. 1055. Series Title: Advances in Intelligent Systems and Computing. Cham: Springer International Publishing, 2020, pp. 61--74. isbn: 978--3-030--31238--1 978--3-030--31239--8. doi: 10.1007/978--3-030--31239--8_6. url: http://link.springer.com/10.1007/978--3-030--31239--8_6 (visited on 08/04/2022).Google ScholarCross Ref
Irene Kamara. Misaligned Union laws" A comparative analysis of certification in the Cybersecurity Act and the General Data Protection Regulation. en. 2021.Google Scholar
Ido Kilovaty. "Privatized Cybersecurity Law". en. In: SSRN Electronic Journal (2019). issn: 1556--5068. doi: 10.2139/ssrn.3338155. url: https://www.ssrn.com/abstract=3338155 (visited on 07/24/2022).Google ScholarCross Ref
Kazukuni Kobara. "Cyber physical security for Industrial Control Systems and IoT". In: IEICE Transactions on Information and Systems E99D.4 (2016), pp. 787--795. issn: 17451361. doi: 10.1587/transinf.2015ICI0001.Google ScholarCross Ref
Heli Korkka-Knuts. "Behaviourally informed approach to corporate criminal law: Ethicality as efficiency". en. In: Bergen Journal of Criminal Law & Criminal Justice 10.1 (May 2022), p. 30. issn: 1894--4183. doi: 10.15845/bjclcj.v10i1.3689. url: https://boap.uib.no/index.php/ BJCLCJ/article/view/3689 (visited on 09/06/2022).Google ScholarCross Ref
Elizabeth LaGreca and Chutima Boonthum-Denecke. "Survey on the Insecurity of the Internet of Things". en. In: 13th International Workshop on Agents and Data Mining Interaction. 2017, p. 3.Google Scholar
Nancy G. Leveson. Safeware: System Safety and Computers. 1. Addison-Wesley Publishing Company, Inc., 1995. isbn: 0--201--11972--2.Google ScholarDigital Library
Robert Luskin. ?'Caring about Corporate 'Due Care': Why Criminal Respondeat Superior Liability Outreaches Its Justification". en. In: American Criminal Law Review 57.2 (2020), p. 29.Google Scholar
Massimo Marelli. "The SolarWinds hack: Lessons for international humanitarian organizations". en. In: International Review of the Red Cross 104.919 (Apr. 2022), pp. 1267--1284. issn: 1816--3831, 1607--5889. doi: 10.1017/S1816383122000194. url: https://www.cambridge.org/ core/product/identifier/S1816383122000194/type/journal_article (visited on 07/19/2022).Google ScholarCross Ref
Fabio Massacci et al. "Economic Impacts of Rules- versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers". In: IEEE Security & Privacy 14.3 (May 2016), pp. 52--60. (Visited on 08/04/2022).Google ScholarDigital Library
Per HÁkon Meland et al. "A Retrospective Analysis of Maritime Cyber Security Incidents". en. In: TransNav, the International Journal on Marine Navigation and Safety of Sea Transportation 15.3 (2021), pp. 519--530. issn: 2083--6473. doi: 10.12716 /1001.15.03.04. url: http: / /www. transnav.eu /Article_A_Retrospective_Analysis_ of_Maritime_Cyber_ Security_Incidents_Meland,59,1144.html (visited on 08/05/2022).Google Scholar
John F Miller. Supply Chain Attack Framework and Attack Patterns. Tech. rep. December 2013. MITRE, 2013, p. 86. url: https://apps.dtic.mil/sti/pdfs/ADA610495.pdf.Google Scholar
Javier de las Morenas et al. "Security Experiences in IoT based applications for Building and Factory Automation". en. In: 2020 IEEE International Conference on Industrial Technology (ICIT). Buenos Aires, Argentina: IEEE, Feb. 2020, pp. 322--327. isbn: 978--1--72815--754--2. doi: 10.1109/ICIT45562.2020.9067229. url: https://ieeexplore.ieee.org/document/9067229/ (visited on 07/25/2022).Google ScholarCross Ref
H D Nguyen et al. "Industrial Internet of Things, Big Data, and Artificial Intelligence in the Smart Factory: a survey and perspective". en. In: (2019), p. 6.Google Scholar
NSF. Cyber-Physical Systems. Tech. rep. National Science Foundation, 2014, pp. 1--20.Google Scholar
Pat O'Malley. "Theorizing fines". en. In: Punishment & Society 11.1 (Jan. 2009), pp. 67--83. issn: 1462--4745, 1741--3095. doi: 10.1177/1462474508098133. url: http://journals.sagepub. com/doi/10.1177/1462474508098133 (visited on 07/19/2022).Google ScholarCross Ref
Milana Pisaric. "Communications Encryption as an Investigative Obstacle". en. In: Journal of Criminology and Criminal Law 60.1 (2022), pp. 61--74. (Visited on 08/04/2022).Google Scholar
PricewaterhouseCoopers. Conti cyber attack on the HSE. Independent Post Incident Review. HSE Board in conjunction with the CEO and Executive Management Team, Dec. 2021.Google Scholar
Melinda Reed, John F Miller, and Paul Popick. Supply Chain Attack Patterns : Framework and Catalog. Tech. rep. OFFICE OF THE DEPUTY ASSISTANT SECRETARY OF DEFENSE FOR SYSTEMS ENGINEERING, 2014, p. 88. url: https://citeseerx.ist.psu.edu/viewdoc/ download?doi=10.1.1.648.6043&rep=rep1&type=pdf.Google Scholar
Shanto Roy et al. "Survey and Taxonomy of Adversarial Reconnaissance Techniques". en. In: ACM Computing Surveys (May 2022), p. 3538704. issn: 0360-0300, 1557--7341. doi: 10.1145/3538704. url: https://dl.acm.org/doi/10.1145/3538704.Google ScholarDigital Library
Jukka Ruohonen. "An Acid Test for Europeanization: Public Cyber Security Procurement in the European Union". en. In: European Journal for Security Research 5.2 (Oct. 2020), pp. 349--377. issn: 2365-0931, 2365--1695. doi: 10.1007/s41125- 019- 00053- w. url: http: //link.springer.com/10.1007/s41125-019-00053-w (visited on 09/07/2022).Google ScholarCross Ref
The Rt Hon Lord Scarman. "Human Rights in an Unwritten Constitution". en. In: The Denning Law Journal 2.1 (Oct. 2012), pp. 129--135. issn: 0269--1922. doi: 10.5750/dlj.v2i1.163. url: http://www.ubplj.org/index.php/dlj/article/view/163 (visited on 08/03/2022).Google ScholarCross Ref
J Shackelford, Scott Russell, and Jeffrey Haut. "BOTTOMS UP: A COMPARISON OF "VOLUNTARY" CYBERSECURITY FRAMEWORKS". en. In: 16 (2016), p. 45.Google Scholar
W Allen Spurgeon and Terence P Fagan. "Criminal Liability for Life-Endangering Corporate Conduct". en. In: Journal of Criminal Law and Criminology 72.2 (1981), p. 35.Google Scholar
Jake Sullivan and Brian Deese. Executive Order on America's Supply Chains: A Year of Action and Progresss. Tech. rep. White House, 2022, cyber. url: https://www.whitehouse.gov/wpcontent/uploads/2022/02/Capstone-Report-Biden.pdf.Google Scholar
Hatma Suryotrisongko and Yasuo Musashi. "Review of Cybersecurity Research Topics, Taxonomy and Challenges: Interdisciplinary Perspective". en. In: Kaohsiung, Taiwan: IEEE, Nov. 2019, pp. 162--167. (Visited on 08/04/2022)Google Scholar

Index Terms

Preventing or Mitigating Adversarial Supply Chain Attacks: A Legal Analysis
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Economics of security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Government technology policy
      1. Governmental regulations

Recommendations

Risk Explorer for Software Supply Chains: Understanding the Attack Surface of Open-Source based Software Development
SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

Supply chain attacks on open-source projects aim at injecting and spreading malicious code such that it is executed by direct and indirect downstream users. Recent work systematized the knowledge about such attacks and proposed a taxonomy in the form of ...
Read More
A survey on the use of blockchains to achieve supply chain security
Abstract
Supply chain networks are becoming more complex and vulnerable to various attacks. We must tackle these attacks properly to ensure the required supply chain security. In this paper, I have classified major supply chain security issues ...
Highlights
- Comparison of other blockchain related works and my work.
- Noteworthy supply ...
Read More
Mitigating denial of service attacks: a tutorial

This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses
November 2022
121 pages
ISBN:9781450398855
DOI:10.1145/3560835
Program Chairs:
Santiago Torres-Arias
Purdue University, USA
,
Marcela Melara
Intel Corporation, USA
,
Laurent Simon
Google Inc., USA
Copyright © 2022 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 November 2022
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
cybersecurity
danish law
eu law
irish law
supply chain attacks
supply chains
uk law
Qualifiers
- research-article
Conference
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 2
  Total Citations
  View Citations
- 304
  Total Downloads
- Downloads (Last 12 months)173
- Downloads (Last 6 weeks)28
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Preventing or Mitigating Adversarial Supply Chain Attacks: A Legal Analysis

SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

ABSTRACT

References

Cited By

Index Terms

Recommendations

Risk Explorer for Software Supply Chains: Understanding the Attack Surface of Open-Source based Software Development

A survey on the use of blockchains to achieve supply chain security

Mitigating denial of service attacks: a tutorial

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Upcoming Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Preventing or Mitigating Adversarial Supply Chain Attacks: A Legal Analysis

SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

ABSTRACT

References

Cited By

Index Terms

Recommendations

Risk Explorer for Software Supply Chains: Understanding the Attack Surface of Open-Source based Software Development

A survey on the use of blockchains to achieve supply chain security

Mitigating denial of service attacks: a tutorial

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Upcoming Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media