The typical view of security pacts among allied nations, like the Australia-United Kingdom-United States (AUKUS) pact, is that they are mutually beneficial agreements that produce positive outcomes for all parties involved. But it ignores the way these agreements by their very nature can also increase cyber risks since the signatories often share data and intellectual property to ensure the success of the security agreements.
AUKUS illustrates both the positive aspects of international security agreements and the additional cybersecurity risks they may present. The AUKUS security pact calls for the three signatories to cooperate to promote a free, open and secure Indo-Pacific region, ensuring stability and deterring potential threats.
The partnership supports Australia in acquiring nuclear-powered submarines and works to enhance joint cyber capabilities, artificial intelligence, quantum technologies and additional undersea capabilities. Given the global security implications of the AUKUS mission, it is crucial that the signatories protect the sensitive technology and data they share.
But it also introduces a significant risk: the potential for cyber threats exploited by adversarial nation-states or other malicious actors opposed to the mission of AUKUS.
The AUKUS supply chain – a complex and expansive network of vendors, suppliers and service providers, all of which play a critical role in supporting the strategic objectives, presents an expanding attack surface for adversaries to exploit.
A secure AUKUS supply chain ensures the seamless and reliable flow of critical resources, including the transfer and integration of highly sensitive technology such as nuclear-powered submarine capabilities. A compromised supply chain could lead to significant vulnerabilities, exposing mission-critical assets to theft, sabotage or cyberattacks.
A supply chain at risk
As the supply chain grows in complexity and scale, so does the challenge of securing it against these ever-evolving cyber threats. This intricate web of interconnected entities significantly expands the attack surface, creating numerous entry points for potential cyber threats into all three countries’ infrastructures.
The proliferation of internet-exposed systems and devices within this supply chain further exacerbates the risk, as each connected asset can potentially serve as a gateway for adversarial actors to infiltrate the broader network. Unpatched software, weak authentication protocols and unsecured Internet of Things (IoT) devices can be exploited to undermine the AUKUS mission.
Recent analysis of the AUKUS supply chain by my company, the cybersecurity firm Censys, revealed thousands of exposed devices that presented cybersecurity risks carrying significant implications for the security and stability of the entire initiative. These exposed assets, whether unpatched servers, vulnerable IoT devices or improperly secured cloud services, represent potential entry points for adversaries. When officials leave such vulnerabilities unaddressed, nation states or other malicious actors can exploit them to gain unauthorized access to sensitive information, disrupt operations or even sabotage critical systems.
A recipe for success
Understanding the full extent of this attack surface is essential for effectively mitigating the risks and ensuring the continued success of the AUKUS initiative.
Here are three steps the AUKUS governments should take to secure the pact’s supply chain against cyber threats:
Conduct robust vendor risk assessments. The three governments must conduct comprehensive security audits of all vendors and suppliers within the supply chain. These audits should evaluate vendors’ cybersecurity practices and adherence to industry standards and overall risk posture. They should also ensure that all parties involved in the supply chain follow stringent cybersecurity protocols to minimize the likelihood of introducing vulnerabilities.
Implement continuous monitoring. By leveraging threat intelligence and real-time data analysis, AUKUS members can detect and respond to potential threats as they emerge. Continuous monitoring allows for the identification of new cybersecurity risks, changes in the attack surface and suspicious activity that could indicate a breach. Incorporating automated tools and platforms can enhance the effectiveness of this monitoring process.
Adopt advanced security frameworks. Another critical strategy is adopting cybersecurity frameworks and models. The National Institute of Standards and Technology Cybersecurity Framework 2.0 provides guidance to help organizations of all sizes and sectors — including alliances like AUKUS — to manage and reduce cybersecurity risk. It is useful regardless of the maturity level and technical sophistication of an organization’s cybersecurity programs.
By also implementing “zero trust” principles, AUKUS member states can significantly reduce the risk of unauthorized access and lateral movement within the supply chain. Within the supply chain, a zero-trust architecture operates on the principle that member states should not trust by default any entity — whether internal or external. This model enforces strict authentication and verification for all devices, users, and systems seeking network access.
While the AUKUS alliance undoubtedly strengthens the defense capabilities of Australia, the United Kingdom and the United States, it also necessitates vigilance to combat the inherent cybersecurity risks.
By implementing robust vendor risk assessments, continuous monitoring, and advanced security frameworks, AUKUS members can fortify their supply chain and mitigate these risks. These steps represent just the tip of the iceberg when it comes to countering evolving supply chain threats, but they will give alliance members an excellent start.
