The UK's supply chain is heavily reliant on "Chinese military companies", Bitsight warns

One-third of the UK's supply chain relies on organisations that the US Department of Defense has designated as “Chinese military companies".

That's the warning from cybersecurity company BitSight, which has released new research highlighting links to China in the nation's digital supply chain and "hidden pillars" that could collapse Britain's economy if they failed.

Bitsight's TRACE Security Research Team has released a new report called Under the Surface: Uncovering Cyber Risk in the Global Supply Chain that examines both global and UK-specific data.

The research is based on an analysis of 500,000 organisations, 40,000 products, and 12,000 providers, mapping over 61 million digital supply chain relationships.

The findings are a stern reminder of the systemic fragility caused by interconnected businesses, hammering home the point that cybersecurity incidents in one part of the supply chain can have "far-reaching" and catastrophic impacts.

"Over the past year, we’ve seen several highly-visible security incidents that highlight how incidents in the digital supply chain can have a massive ripple effect across the global economy," said Ben Edwards, Principal Research Scientist at Bitsight.

"Even the most security-conscious companies are vulnerable to weaknesses in their supply chain. Organisations must continuously evaluate their third party vendors and suppliers and work proactively to close security gaps."

The UK supply chain is larger and more complex than the global average, increasing attack surface and giving threat actors more opportunities to attack.

A typical UK organisation uses 29.1 different providers and 81.6 different products - a 10% larger supply chain than the global average.  

"The larger and more complex a supply chain, the greater the attack surface, increasing opportunities for cybercriminals to infiltrate networks," Bitsight wrote.

"Supply chain risks don’t just come from direct providers – they extend through multiple tiers, creating hidden vulnerabilities that businesses may not be aware of."

Chinese military-linked companies are involved in 30% of the UK supply, a finding that "underscores the challenge of securing the digital supply chain against foreign influence."

"Even with increased scrutiny and regulatory efforts, Chinese state-linked firms maintain a significant foothold in UK industries, making it critical for organisations to assess their vendor relationships and mitigate potential risks," Bitsight continued.

The research also describes the risk posed by "Hidden Pillars”, which are lesser-known technology companies that serve large portions - or even the majority - of specific industries. A security failure at one of these companies could trigger cascading effects across industries and society.

These companies may have a small market share, serving a handful of companies which have a massive market share in industries like energy, finance, and logistics. 

Bitsight said that some of the most critical software and infrastructure providers operate with fewer than 50 employees, but their technology is embedded in Fortune 500 companies and global enterprises. 

Providers - organisations that supply digital products and services - often face far greater cybersecurity challenges than the businesses they serve due to larger attack surfaces, complex vendor relationships and increased risk exposure, meaning they must take strong measures to secure their ecosystems. 

On average, providers use 2.5 times more products and have 10 times more internet-facing assets globally, making them more exposed to cyber threats, Bitsight warned.

While providers outperform consumers in four of six security standards including DMARC, SPF, DKIM, and DNSSEC, they lag behind in areas such as patch management, open ports, insecure systems, and botnet infections. 

Read the full study here. 

Have you got a story or insights to share? Get in touch and let us know. 

Follow Machine on X, BlueSky and LinkedIn