Supply chain threats and commercial espionage

Alternate format: Supply chain threats and commercial espionage (PDF, 498 KB)

Supply chain refers to the processes required to design, manufacture and distribute equipment or other commodities, including information technology hardware and software. The stages of this complex process often involve different entities.

Supply chain security is only as strong as its weakest link. A security compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. anywhere in the supply chain could allow a cyber threat Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. actor to exploit a device, or one of its components once it is connected to a company’s secured network. Supply chains can be compromised before or after the delivery of a product or service, or during software updates or hardware upgrades.


“Every link in a global supply chain can pose a risk to cyber security”

Threat actors may also exploit trusted relationships between businesses. For example, when multiple companies, contractors or business partners share access to critical data and networks an opportunity is created for cyber threat actors to access and exploit these shared networks and reach a desired target. Compromising many devices can help disguise a threat actor’s motivation, identity and intended target.

State-sponsored cyber threat actors also advance their defence and technology sectors by conducting commercial cyber espionage around the world, including in Canada. This risk is even higher for Canadian companies that operate abroad.

What is the Government of Canada doing?

The Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. works closely with stakeholders in critical sectors to provide advice and guidance to help mitigate supply chain risks in critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. that Canadians rely on every day.

For example, since 2013, the Communications Security Establishment’s Security Review Program has helped mitigate supply chain threats to the telecommunications sector for 3G, 4G and LTE technology. To date, CSE and its government partners have worked with companies representing over 99% of the Canadian mobile market to help mitigate the risk of cyber espionage and network disruption. This program has helped mitigate risk by excluding designated equipment and services from sensitive areas of Canada’s telecom networks.

Top tips for business owners and operators

  • Ask partners, vendors, and other service providers questions about their security practices.
  • Conduct vendor, partner, and other service provider risk assessments
  • Protect information at the enterprise level. Security can be strengthened by establishing limited information or network access for relevant vendors
  • Consolidate, monitor, and defend internet gateways
  • Patch operating systems and applications
  • Provide tailored awareness and training to employees
Supply Chain Process - Long description immediately follows
Long description - supply chain process

Cyber threat actors can exploit the supply chain at various stages such as the design stage for poor quality design practices, the production stage by tampering product, the delivery and deployment stage with weak cyber security practices, the operational stage by exploiting vulnerabilities, and the maintenance stage via a service provider.

Date modified: