Software Supply Chain Attacks: An Illustrated Typological Review

Most elements constituting modern life, from the economy to social habits, are now characterized by using digital technologies and the consumption of goods and services that depend on complex, interconnected, transnational, and, at times, vulnerable, supply chains. Critical dependencies and heightened (cyber) threats combined with strategic competitiveness are increasingly turning the issue of supply chain security into matters of national and international security. Located at the intersection of supply chains and cyber are the topics of software supply chains attacks and broader mitigation and protection elements that fall under the term cyber supply chain risk management. Due to their heightened relevance in the current security discourse, their potential destructive and strategic effects, and their increased use by malicious actors (state-linked and criminal), software supply chain attacks are the focus of this CSS Cyberdefense Report. The overarching aim of this report is to provide an illustrative overview of software supply chain attacks and to raise awareness of the types of attacks, their uses, and their potential impacts.