The UK’s defence minister would not confirm that the attack was conducted by an element of the Chinese state, rather blaming the “potential failings” of a partner. Credit: Shutterstock A suspected Chinese hack that exposed payroll records of 270,000 members of the British armed services was connected to the “potential failings” of a government contractor, UK defence secretary Grant Shapps told the British Parliament. News of the incident became public on May 7, when government sources briefed journalists about a major hack of the Ministry of Defence (MOD) allegedly conducted by the Chinese state. The data put at risk included the names and bank details of current, reservist, and retired members of the Royal Navy, Army, and Royal Air Force. A small but unconfirmed number of addresses were also part of the hack. But by the time Shapps made his statement to Parliament hours later, China was no longer being mentioned by name. Instead, Shapps focused on the third-party company that managed the payroll system. “This was operated by a contractor and there is evidence of potential failings by them which may have made it easier for the malign actor to gain entry,” Shapps said. No confirmed connection to a nation-state Although Shapps didn’t explicitly blame the contractor, the government has started a review of the company and its operations, he said. “Although we can see a malign actor was involved, we have yet to make the connection to a state. Although we can’t rule out that that might be the conclusion, we have no evidence to conclude that way yet,” he said. The incident reveals a knot of issues, starting with the political problem of attribution. The government clearly believes that China was behind the hack but doesn’t want to say that publicly to avoid getting into a diplomatic slanging match. That has upset a noisy element among the government’s own MPs, many of whom see China as a major threat to UK security and would prefer the government to be more explicit about this. In March, China was blamed for a cybercampaign targeting MPs. Not long after, two Parliamentary aides were charged with spying for China under the Official Secrets Act. In political circles, at least, the theme is now well-defined: The Chinese state has long tentacles, and the British state and politicians are in its sights. Separately, the UK and several of its allies recently accused China of targeting critical infrastructure through the Volt Typhoon hacking campaign. Third-party compromise unknown A more unusual aspect of the latest incident is that a senior minister has so quickly connected a compromise affecting government systems to a third party. Shapps only confirmed the contractor involved in Parliament when the Labour Party’s shadow defence secretary John Healey named the company as Shared Services Connected Ltd (SSCL), which operates the MOD payroll contract in addition to many others across the government. What is not yet known is the nature of the issue that led to the incident nor how much data was accessed. That might only become apparent many months later, assuming any investigation into the incident is ever made public. The wider question is how any government can maintain visibility of the contractors that run many of its services. “I’m not surprised by this because supply chain security is really difficult,” Martin J. Kraemer of security awareness company KnowBe4 told CSO Online. “It’s large to do with the increasing complexity. If you went into a large organization as a consultant, one of the first things you would do is to ask for a list of all of their vendors. But they would look at you and say they don’t know.” Security issues inherent in supply chains This is why the term supply chain is aptly named: It’s a long list of vendors, who work for other vendors, who work for other vendors, who work as contractors to large organizations such as governments. “The companies that are part of this supply chain get ever smaller and specialized. This is why the EU’s NIS2 Directive makes organizations responsible for the security of their supply chains,” said Kraemer. Weaknesses that were hard to plug included the so-called vendor email compromise whereby hackers infiltrated trusted email relationships between supply chain partners. “Someone takes over the email account of a company and they have an easy way in. This can be one of the most costly compromises.” Related content news PM names new cybersecurity minister Two years after having cybersecurity as standalone portfolio and the biggest data breaches in the country, Tony Burke is appointed. By Samira Sarraf 28 Jul 2024 2 mins Cyberattacks Government opinion Project 2025 could escalate US cybersecurity risks, endanger more Americans The conservative think tank blueprint for how Donald Trump should govern the US if he wins in November calls for dismantling CISA, among many cyber-related measures. Experts say this would increase cybersecurity risks, undermine critical infrastructu By Cynthia Brumfield 25 Jul 2024 10 mins Government IT Government IT Governance Frameworks feature Kaspersky software ban: CISOs must move quickly, experts say With the October deadline looming, CISOs would be well-advised to start planning their migrations to other security products. By David Strom 04 Jul 2024 9 mins Government Anti Malware Security Software news analysis US Supreme Court ruling will likely cause cyber regulation chaos The ruling could weaken almost all US federal cybersecurity regulations, including SEC incident reporting, FCC data breach reporting, and CISA cyber incident reporting rules. By Cynthia Brumfield 02 Jul 2024 9 mins CSO and CISO Regulation Government PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe