F5 breach underscores need for a layered approach to protecting against supply chain attacks

Cyber supply chain attacks seem to be running wild. The latest one garnering attention is the compromise of F5 BIG-IP products that prompted CISA to issue an urgent mitigation order Wednesday to the federal civilian executive branch and to more broadly notify critical infrastructure providers of the potentially critical vendor vulnerability. 

CISA said in its emergency directive that “a nation-state affiliated cyber threat actor has compromised F5’s systems and exfiltrated files, which included a portion of its BIG-IP source code and vulnerability information.” Although attribution is not fully clear, the F5 incident comes at a time when Chinese-linked actors seem to be running a sustained campaign of “Typhoons.” As such, government and critical infrastructure are dealing with the reality that their supplier ecosystems are being exploited, creating a large attack space, and that their own cybersecurity relies on vendor security and vendor management practices. Although official authoritative statistics are hard to come by – there is still no Bureau of Cyber Statistics that has been proposed to study data collected under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) process – a review of the research presents a stark picture.  

The 2025 Verizon Data Breach Investigations Report found that nearly one in three confirmed breaches now involves a third-party vendor or service provider, which is double the rate from last year. Meanwhile, Mandiant’s 2025 M-Trends analysis reported that 10% of ransomware incidents began with a partner or supplier compromise, while software exploits and credential abuse together accounted for two-thirds of all initial intrusions. These findings reveal that adversaries are increasingly exploiting the underlying digital dependencies of modern enterprises to reach otherwise well-defended targets.

It is fair to say that we are at an urgent moment in managing cyber supply chain risks across the national security enterprise. There is not, however, a consistent playbook for doing so, and putting one in place should be a cybersecurity priority. From a national perspective, such a playbook needs to start with activities at multiple levels. To borrow a term from other parts of homeland security doctrine, we need a layered risk management approach.  

The approach starts with government and critical infrastructure entities themselves. Such entities are the ultimate victims of supply chain attacks but can only do so much to ensure the security and vulnerability management of the digital vendors that present a key risk vector. 

Entities must focus on four priority areas of activity to protect themselves: 1) having an active and well-maintained and monitored list of critical vendors and key hardware and software that their business relies on; 2) taking the security practices of critical vendors into account prior to contracting and, when possible, using business leverage to demand certain standards are met and incident information is shared; 3) minimizing exposure of operational systems and critical information to third-party vendors; and 4) preparing and stress-testing whether operations can be shifted should there be a compromise on the most-critical vendors.  

The second line of layered risk management is the digital critical infrastructure that underpins government and critical functions, to include shared SaaS platforms, managed service providers, applications, operating systems and cloud computing.  

The reality, of course, is that often critical vendors who own that infrastructure have more leverage in a business relationship than those receiving the services. As an example, there has been much debate in Washington, D.C., policy circles over how to address the federal government’s reliance on Microsoft and other hyperscale cloud service providers. And even in the case of the federal government, there’s only so much that can be done to ensure the security of its critical suppliers. 

This problem is more acute for smaller entities that must rely on SaaS platforms to manage their business operations effectively, use operations system and application tools for all sorts of internal processes, and outsource critical services, including cybersecurity, to third parties that specialize in those functions and have large customer sets and revenue. Vendors are responsive to the overall market.

Therefore, critical vendors need to be active in managing the cyber supply chain risk of their customers by committing to security by design and resilience by design principles, ensuring that they are baking security costs into their service offerings and software development practices. These vendors also need to be prepared to share information with customers should incidents occur and establish contractual terms that allow for that. Finally, vendors can provide guidance on secure deployments in different environments to minimize supply chain risk exposure.

The third line of layered management is the role of governments in confronting this risk to homeland security and national defense. The U.S. government has not yet been able to impose sufficient costs on Chinese actors and create deterrence to prevent China from using supply chain attacks as a vector for cyber operations and information gathering. However, even if Chinese actors pared back their activities, there are other adversaries that would continue to be active in supply chain attacks.  

Therefore, governments across the federal, state and local levels need to play an active role in managing supply chain risks, including the development of standards that can be used by critical vendors, and entered into contractual and regulatory requirements. Governments must also put in place the legal framework to enable and encourage information sharing, inclusive of the renewal of the Cybersecurity Information Sharing Act of 2015, with, ideally, additional protections for sharing supply chain risk information. The House bill reauthorizing CISA had such a provision but has not moved because of opposition in the Senate.        

The culmination of the above means that addressing cyber supply chain risk is a collective effort. All layers must work toward the same goal of reducing attack space and system-wide impact of breaches. October is National Cybersecurity Awareness Month. When it comes to managing supply chain risk, let’s make October National Cybersecurity Action Month.