Supply Chain Attacks Named Top Global Cyber Threat

- The global annual cost of software supply chain attacks is projected to reach $60 billion in 2025. Data from IBM's 2025 Cost of a Data Breach Report indicates that supply chain-related breaches cost companies an average of $227,244 more than other types of breaches. - Historic breaches highlight the vulnerability of government agencies; the 2020 SolarWinds attack compromised software updates pushed to 18,000 organizations, including the U.S. Treasury and Commerce Departments. This was accomplished by inserting malicious code into the Orion software platform, creating a backdoor for attackers. - The 2023 breach of MOVEit file-transfer software impacted over 2,700 organizations and the personal data of approximately 93 million individuals, including data from U.S. government agencies like the Department of Energy. The attack was initiated by the CL0P ransomware group exploiting a zero-day vulnerability. - Even identity management providers have become targets; a 2023 breach of Okta's customer support system led to the download of names and email addresses for all customer support users. However, customers in the FedRamp High and DoD IL4 environments were not impacted as they use a separate support system. - In response to these threats, the U.S. government is updating acquisition regulations via Executive Order 14028, which establishes baseline security standards for software sold to the government and mandates changes to the Federal Acquisition Regulation (FAR). - Attack vectors have evolved beyond traditional methods to include compromising open-source software repositories like PyPI, weaponizing browser extensions, and stealing OAuth tokens to gain access to interconnected SaaS platforms. - Artificial intelligence is being used by both attackers and defenders; malicious actors use AI for rapid reconnaissance to find vulnerable suppliers, while security systems use AI