I’ve written before about externalities. When an organizations actions cause harm to others. The recent SolarWinds breach has got me thinking about when someone causes harm to others via a third party. Are you the route into your customer’s organization?

The SolarWinds breach (and many other attacks against the digital supply chain) where a means to an end. The threat actors weren’t after the vendor or the vendor’s customer data but rather the vendors customer’s systems. The discussion in risk management is most often about the impact to one’s own business or what the impact from customer information being stolen (likely loss of a customer or litigation); I don’t recall any conversation about an organization being an actual vector of harm to their customer’s systems.

Threat models and risk assessments need to expand to consider, what happens to my customer’s operations and people if I am breached. Consider for a second if your networking company sells hardware to a particular government or you run the gym nearby a local military base; you are a means to get to the target. You being breached and use as a vector into the actual target creates downstream exposure for your customer; from their perspective, you’re an upstream breach in their digital supply chain.

Sure, the target themself probably recognizes they’re high value and has general purposes safeguards against the threat’s they understand. However, the SolarWinds breaches, suggests that this was a blind spot for some of the targeted US government agencies. I suspect it’s a blind spot for many and that’s likely why SolarWinds and others are targeted; they’re litereally the route to deliver the trojan horse through the gates of the metaphorical city. Whether or not you believe you have an obligation to your customers, it’s likely they’ll believe you have an obligation to them and they’ll seek to make sure it’s fulfilled.

I’m generally of the opinion that most of us are uninteresting to Nation State threat actors, that we should worry more about garden variety and organized crime hackers. The last few weeks suggest service providers and software developers need to understand who they do business with and the threat actors their customers are likely to be interesting too. Sometimes, one can be interesting not for who they are, but for the company they keep.

TL;DR: Review your customer list; if any of them are interesting to nation state threat actors, then you are too.