Bitsight report highlights cyber risks in U.S. supply chain

Study Uncovers Risks from Foreign-Linked Providers and Critical Yet Overlooked Technology Vendors

Bitsight has released a report entitled Under the Surface: Uncovering Cyber Risk in the Global Supply Chain from its TRACE Security Research Team. This report analyzes data from 500,000 organizations and 40,000 products, mapping over 61 million digital supply chain relationships, which highlights the interconnectedness of businesses and the potential ramifications of cyber risks.

Despite ongoing national security concerns, Chinese military-linked companies have entrenched positions within the U.S. digital supply chain. Many of these organizations have been flagged by the U.S. Department of Defense, yet continue to supply vital digital services that pose cybersecurity threats.

Key findings include:

One-third of the U.S. supply chain relies on services from entities recognized as “Chinese Military Companies” by the Department of Defense.
Two-thirds depends on firms with ties to Chinese state-linked entities, heightening fears of espionage and systemic risks.
ByteDance, the parent company of TikTok, accounts for 35.4% of the U.S. market, illustrating that even companies under scrutiny remain widely used.

This dependency underscores the difficulties in securing the supply chain from foreign government influence, necessitating thorough evaluations of vendor relationships and risk mitigation efforts.

The report also discusses smaller, specialized software providers termed “Hidden Pillars,” which may pose unseen risks despite serving fewer clients. Key insights include:

Some niche providers support broad market segments with limited customer bases, impacting major industries.
Providers with small teams wield significant influence, often embedded in large corporate operations.
High industry concentration can create single points of failure, where security issues at one provider affect multiple sectors.

Providers face unique cybersecurity challenges due to their larger attack surfaces and the complexity of their supply chains. Notable points include:

They utilize more products and possess numerous internet-facing assets, increasing exposure to threats.
Providers often manage multiple sub-providers, complicating their vulnerability landscape.
While they meet several security standards, they exhibit deficiencies in patch management and system security.

“Over the past year, we've seen several highly visible security incidents that highlight how incidents in the digital supply chain can have a massive ripple effect across the global economy,” said Ben Edwards, Principal Research Scientist at Bitsight. “Even security-conscious companies are vulnerable to weaknesses in their supply chain. Organizations must continuously evaluate their third-party vendors and suppliers to close security gaps.”

The comprehensive report also details findings on digital supply chain risks and provides anonymized examples of providers exhibiting high levels of risk. It utilizes Bitsight's proprietary data and security scanning information to inform its analysis.

SEALSQ to invest $10 million in WISeSat.Space for satellite deployment and quantum key distribution

Enhancing Application Observability: Significance of ASN in IP Traffic Analysis

ONES enhances monitoring for Spectrum-X networks