Is foreign interference a blind spot in your technology supply chain?

Article
Published: 
Authors: Luke Eason

Foreign interference refers to the activities carried out by, on behalf of, or are undertaken in active collaboration with a foreign power. It involves either a threat to a person, or is clandestine or deceptive, and detrimental to Australia’s interests.

Foreign interference risks are obvious in some industries (e.g. research, defence, leading-edge information technologies and critical infrastructure). However, the risk is more covert when considering how foreign adversaries may be seeking commercial advantage in globally competitive markets as part of a longer-term strategy. Use of third-party and even more distant ‘nth party’ suppliers in large enterprise ecosystems significantly increases the complexity of this risk.

Seemingly ‘low-risk’ organisations may serve as a stepping-stone into higher risk sectors. For example, a small software firm supplying code to a defence contractor can be just as attractive a target as the contractor itself.

The Australian Government has taken several measures to address this threat:

In light of the significant increase in geopolitical risk over recent years, how many organisations can truly claim to have regularly assessed their exposure to foreign interference and maintain a clear mitigation strategy? Learn more about rising global risks for organisations in our Global risk landscape report 2025.

Foreign interference risk in information technology (IT) 

Organisations should approach foreign interference risk by firstly considering why they would not be subject to the risk of foreign interference. This assessment should include the goods and/or services supplied, the nature of the customer base, and the profile of the key supply chain.

From a technology perspective, threats have typically been thought of as state-sponsored hacking and ransomware attacks. Given the complexity of today’s technology supply chains, attack vectors now include more nuanced and insidious threats, such as:

  • Data compromise via externally managed service providers or fourth and fifth-party suppliers
  • Compromise of embedded third-party tools within the technology stack
  • Embedding ‘trusted insiders’ as personnel within the technology supply-chain
  • Social engineering or coercion of individuals working in an organisation’s technology function to provide access to sensitive information
  • Fake remote workers who interact via communications platforms
  • Manipulation of artificial intelligence (AI) training datasets.

The impacts of foreign interference on organisations

In addition to the threat to Australia’s national security and long-term economic health, foreign interference in IT is an emerging enterprise risk for many organisations.

The key impacts of foreign interference can include:

  • Compromise of sensitive information in relation to new products, services and technologies, leading to the erosion of competitive advantage
  • Reputational damage and associated loss of trust with customers and trading partners following a major compromise
  • System interruption in the event of malicious activity
  • Psychosocial health issues impacting the workforce
  • Cost of investigation and remediation of breach.

Management of foreign interference risk is inherently cross functional. It does not reside solely within the domain of IT or cybersecurity; it intersects with procurement, human resources (HR), legal, and governance.

BDO recommendations

We recommend these key practical steps to mitigate foreign interference risk: 

Executive and management level

  • Encourage executive-level discussion and board-level visibility of foreign interference risks through their Enterprise Risk Management program
  • Regularly revisit foreign interference risk mitigation strategy to align with evolving government advice and changes to organisational conditions
  • Build relationships with relevant government departments and agencies as a valuable source of guidance and advice (e.g. Department of Home Affairs, Australian Signals Directorate, and Critical Infrastructure and Security Centre).

IT delivery and vendors

  • Procurement teams should assess vendors not only for capability and cost, but also for ownership structures, jurisdictional exposure, and geopolitical risk
  • Ensure that technology dependencies on foreign jurisdictions are fully understood and regularly updated, and that there is real visibility of fourth and fifth parties
  • Understand how IT delivery partners manage access to the organisation’s most powerful user profiles, and whether they are accessing it on a need-to-know basis. Organisations should also consider whether arrangements apply to redundant data stores or test systems that may have sensitive data
  • Identify whether logging and monitoring arrangements consider anomalous access patterns, data exfiltration, and indicators of compromise linked to foreign actors
  • Conduct regular threat and exposure assessments, which include consideration of the extended enterprise, i.e. delivery partners, outsourced providers and contractors
  • IT staff in critical or high-risk positions (e.g. those with administrator-level access, access to critical data or key cyber security positions) should be subject to increased vetting and background checks. In many cases, these staff may be employed by external vendors and trading partners. Organisations should ensure minimum vetting requirements are met by delegating this responsibility.

Organisational culture

  • Train HR and personnel teams to identify insider threats, coercion attempts, or undeclared foreign affiliations
  • Encourage a culture of vigilance and personal responsibility where staff can safely raise concerns or suspicions that may be indicative of foreign interference.

When the supply chain becomes invisible

The rise of generative AI is shaping supply chain risk to become increasingly opaque. AI systems now generate code, process sensitive data, and simulate human interactions. Amid this growing complexity, organisations should consider these critical questions when adopting AI:

  • Who trained the model?
  • What data was used and who influenced it?
  • Where is the model hosted and managed?
  • Do we understand the potential exposure to ‘data poisoning’ attacks? This is a situation where an adversary may push harmful, inaccurate or biased data to influence the output of the model.

These questions are often unanswerable when using third-party or open-source AI tools, creating a ‘black box’ risk in the supply chain.

To mitigate this, organisations should:

  • Establish governance frameworks for AI procurement and deployment
  • Audit AI generated outputs for integrity and bias
  • Vet AI vendors for transparency, jurisdiction, and data handling practices
  • Ensure that data lineage and model provenance are understood.

Ultimately, AI can enhance decision making, but there should always be human intervention to critically evaluate automated outputs as part of a decision-making process. 

Summary

Foreign interference is not a new threat - it is one that some sectors have been widely familiar with, particularly across research, defence, electoral integrity, and critical infrastructure. However, the complex nature of our supply chains and associated technology delivery means that the challenge is more multifaceted than ever, driving the need for thorough risk management.

In a world where digital competitive advantage is increasingly critical, the ability to anticipate, mitigate, and respond to foreign interference will be integral to being a trusted and resilient business.

How BDO can help

Organisations may easily overlook the risk of ‘nth party’ suppliers in their supply chain, increasing the threat of compromised key company data and falling victim to foreign interference. Our team of experts support organisations in risk mitigation, security, forensics and data privacy protection. Contact us to learn more.

Subscribe to receive the latest insights.

Authors