Dark Supply Chains

The concept of a supply chain as it is now understood borrows heavily from military strategy, where those armies that could assure the supply of critical materiel when it was needed won wars and spared lives. As more and more organizations struggle to balance their unprecedented reliance on dispersed suppliers and customers - set against an increasingly volatile and interconnected risk landscape - business leaders must again turn to other sectors for answers. In order to understand how managing supply chain risk must evolve to keep pace with rapid change, it is useful to borrow some thinking from modern finance.

In the capital markets, dark pools or shadow banking are places outside of the regulatory purview and therefore the risk management range of market participants. The groups that benefit from being on the margins of modern finance, such as hedge funds, are the ones who manage obscurity in their favor. For this reason participants in financial dark pools or shadow banks often enjoy economic returns above other market participants. Their trading rules, investment horizons and goals are often different than those players competing in the light. While in finance the word 'dark' need not convey nefarious, there are other areas of the unregulated global financial system, such as terrorism finance, money laundering and crypto currencies, like Bitcoin, that are largely used by people with ill-commerce in mind who thrive under the cover of darkness.

The supply chain equivalent of a 'dark pool' is the entire sub-surface area of an organization's supply chain, which people rarely think about. Every single touch point, node, supplier and customer entry point is also a point of vulnerability in a global supply chain. These points of vulnerability are growing exponentially with the proliferation of connected devices, sensors and the internet of things (IoT). Organizations must audit what this sub-surface looks like, as much as they must assure that the 'above surface' supply chain continues to function efficiently, with redundancies and many necessary points of entry to drive value creation and basic service delivery. The inverse of this is the dark supply chain and the people who exploit it know as much or more about a business or sector than its legitimate participants. Since the rise of the multinational, billions have been spent on protecting supply chains, building inventories, redundant relationships and geographic diversification. Besides, in a global market, basic product and service fulfillment requires a sprawling web reaching all corners of the planet. Business concepts such as just-in-time production have given way to vast digital empires, like Amazon, Google and Alibaba, and more recently, Uber and Airbnb, which have grown from strength to strength with outsized valuations as if their amorphous supply chains suffered no risks.

In the era of man-made risk, however, even the Tech Titans are not invulnerable to dark supply chains, particularly as many of them rely on the performance of assets they do not directly control. For example, the risk that Uber must recognize free-lancers as employees or that Airbnb must comply with onerous property 'ownership' standards are particularly acute points of vulnerability. Not to mention that both firms are in effect largely free of any tangible assets, which is both their strength and their Achilles heel - especially in a global economy being defined by perpetual cyber risk and rapidly shifting public and regulatory sentiments.

A more classical example of an exposure arising from a dark supply chain is the recent SWIFT exploit, which emanated from the dated interbank transfer system. The exploit, allegedly carried out by hackers in Southeast Asia, operating under the appearance of legitimacy with transfer requests nearing a staggering $1 billion. In the end, the exploit was stopped due to a clerk in a corresponding bank in Germany who noted a misspelling of the word foundation in the transfer requests. The more insidious dark supply chain risks are the ones that silently lurk in the background gradually amassing competitive information, classified data, personal details and material that can be exploited for gain or coercion. The exploit on the Democratic National Committee (DNC) and the timing of public revelations were meant to cause maximum harm to the Democratic Convention and its candidate, Hillary Clinton. This type of exploit is very different from the often crude traditional cyber breaches in that the perpetrators clearly demonstrated their intimate knowledge of the inner workings of the DNC and its points of vulnerability. If in fact this attack was carried out by Russia, as the White House is contending and candidate Trump is inviting, then it would mark the most prominent public example of the merger of political risk with cyber warfare.

Overtly these risks are also coinciding with a rise of businesses being held for ransom unless they change a particular course of action or comply with monetary requests. A number of hospital groups, for example, have suffered these dark supply chain exploits wherein medical records are rendered temporarily unusable until demands are met. While the way in to an organizations' supply chain might look and feel like garden variety cyber risk, dark supply chain exploits demonstrate intimate knowledge of an organizations' points of vulnerability along its value creation model. Whereas classical cyber risk relies at some level on luck and user imprudence (e.g. simple passwords, porous firewalls, careless use of external devices and liberal trust of scam emails) to gain access to a system, dark supply chain exploits are highly targeted. It is the difference between trawling with a fishing net versus spearfishing for a specific type of fish at a specific time.

The most famous of these dark supply chain attacks was on Sony Entertainment over The Interview film. This attack effectively crippled the firm's entire supply chain during the valuable holiday season, trickling downstream to current and former employees, movie theaters and spectators, who feared reprisals and for their personal safety. Another infamous dark supply chain exploit was carried out against Ashley Madison, whose business model, no matter how questionable, relied almost exclusively on anonymity. Proving that sunlight is a great disinfectant, the Ashley Madison attack revealed, perhaps unsurprisingly, that everyone in the system was cheating - including the widespread us of bots to entice salacious customers.

This marks the point of distinction between classical cyber risk, which at some level randomizes coercion and points of vulnerability, often erring on the bemusement of hacker collectives, and dark supply chains. The latter, deliberately and with intimate knowledge, exploits known points of vulnerability that can cripple an organization. It is the difference between crude attacks driven at some level by luck and surgically precise attacks driven by intimate knowledge of how an organization works and exploiting that knowledge. Dark supply chains do not singularly exist in the virtual world, where they are conflated with cyber risk, they also affect physical security, tangible assets and general operations. In fact, Edward Snowden's now famous exploit of the NSA, is as much about a supply chain risk as it is about cyber vulnerability. After all, he was a vetted sub-contractor with all the security clearances. Better hiring practices would have done more to prevent the Snowden leak than airtight information security. A saboteur or a spy are most effective when they operate under the guise of legitimacy. For organizations to get ahead of this growing threat, which is increasingly carried out by countries, as much time and resource needs to be devoted to shining a light on the dark sub-surface of global supply chains, as has been spent making them more efficient and dispersed. The first step however, is acknowledging that this menace exists and changing how we think about interconnections.