The Hidden Risk of Your Infrastructure
Find Threat Talks on
The Hidden Risk of Your Infrastructure
Nation state actors have been targeting critical infrastructure for years, and most organizations are not as prepared as they think.
The risk is not just about who is trying to get in. It is about what is already in your stack, where it came from, and whether you would know in time to do anything about it.
In this episode of Threat Talks, Lieuwe Jan Koning, Co-founder and CTO at ON2IT Cybersecurity, speaks with Caitlin Clarke, Senior Director of Cybersecurity Services at Venable and former Special Assistant to the President for Cybersecurity and Emerging Technology, about what security leaders can do right now, ahead of the regulatory guidance that is still taking shape.
What you’ll learn
- Hardware is just the start. Software updates, open source libraries, AI-generated code, outsourced R&D – every layer carries exposure that procurement teams almost never factor in.
- How to map a supply chain when your suppliers have suppliers. What to ask. How far down to go. How to prioritize when you can’t go everywhere at once.
- What Huawei taught us about waiting too long. Rip-and-replace is what happens when there’s no exit strategy. The cost is enormous, and entirely avoidable.
- Why insider risk belongs in this conversation. Nation state actors target people and research, not just networks. Organizations that focus only on technology are leaving the front door open.
Your cybersecurity experts
Lieuwe Jan Koning
Co-Founder and CTO
ON2IT
Caitlin Clarke
Senior Director of Cybersecurity Services
Venable LLP
Episode details
The conversation starts where the threat starts: with years of nation state campaigns targeting critical infrastructure. Volt Typhoon was about positioning for disruption. Salt Typhoon was a large-scale espionage operation.
Both reflect adversaries who are already inside the networks of organizations that believed their defenses were adequate. That is the context in which CISOs need to be thinking about how they operate today.
Supply chain risk is broader than most security leaders have reckoned with. It is not just the device on the shelf. It is the software running on that device, the library a developer pulled from an open source repository last month, the update a vendor pushed without flagging what changed, and the R&D that was outsourced to a region that introduces geopolitical exposure.
Organizations may unknowingly have technology in their environment that could be labelled adversarial, not because of a deliberate choice but because no one asked the right questions at procurement time.
Supply chain mapping covers how to structure third party risk programs to ask the right provenance questions, what fourth and nth party relationships actually mean in practice, and what to do when there is no clear alternative to a supplier you can no longer trust. In some markets, the alternatives simply do not exist yet, and that is a problem the industry and governments will need to solve together.
The episode closes on a dimension that is often treated separately but belongs in the same conversation: people.
Insider risk programs, IP theft as a primary target for nation state actors, and the economic security framing that extends beyond technology to who has access to sensitive research and development.
The organizations best prepared for what is coming are the ones where the CISO and the procurement team are already in the same room, making decisions together before a purchase is made, not after an incident makes the cost visible.
Get your Hacker T-shirt
Join the treasure hunt!
Find the code within this episode and receive your own hacker t-shirt for free.
