In today’s hyperconnected world, the supply chains underpinning global technology are becoming the new battlegrounds of cyberwarfare. Governments, defence contractors and critical infrastructure operators may not realise it, but their routers, GPUs and firmware updates could already be carrying unseen adversaries.
Speaking to Deeptech Times on the sidelines of GovWare 2025, Wes Dobry, vice president of solutions engineering at Eclypsium, called these stealthy compromises the rise of “shadow networks”. These are not the visible layers of the internet but the invisible threads of trust connecting every chip, device and component across continents. When one of those threads is compromised, the ripple effect can undermine an entire nation’s digital sovereignty.
When the trusted become the threat
In Dobry’s view, the most under-recognised threat isn’t the flashy zero-day exploit or headline-grabbing ransomware attack. It’s the compromise of trust at the most fundamental layers of technology.
“A perfect example is the recent F5 breach,” he explained, referencing a case where nation-state actors infiltrated a major cybersecurity vendor’s engineering environment for nearly a year.
“When a company like that is compromised, it becomes a supply chain challenge for everyone,” he said.
The incident underscores an uncomfortable truth: even the defenders can become vectors of attack. Devices like routers, baseboard management controllers (BMCs) and firmware layers form the hidden scaffolding of modern infrastructure. A single unpatched vulnerability in these components can quietly provide attackers with persistent access for months or years.
And the issue isn’t complacency. It’s complexity. “A simple laptop can contain components from dozens of manufacturers and hundreds of factories around the world,” Dobry said. “Even the vendor may not fully understand all the risks inherited from their sub-suppliers.”
The result? Governments end up trusting devices and systems whose integrity they cannot independently verify.
The case for synthetic trust
To address this, Dobry advocated for what he calls “synthetic trust” – a philosophy rooted in zero-trust security, extended all the way to hardware and firmware.
“I shouldn’t trust anything, at any time, in any way,” he said matter-of-factly. “Even if a vendor says something is secure, governments need the tools and processes to independently validate that claim.”
In practical terms, synthetic trust means verifying the provenance, configuration and firmware integrity of every component, before it becomes part of critical operations. It’s a move from faith-based security to evidence-based assurance.
That shift, however, demands significant investment in architecture, policy and capability. Governments must adopt agnostic verification frameworks, where every device regardless of origin, is subjected to the same scrutiny. In this model, no brand, vendor or nation-state gets a free pass.
AI: The new catalyst and complicator of supply chain risk
As AI seeps deeper into government operations, a new layer of risk is emerging. “AI is fundamentally about efficiency,” Dobry explained. “It helps us adopt technology faster but that also means we’re skipping the checks and balances that traditionally ensure safety.”
He pointed to the early rollout of NVIDIA’s GH200 processors, where root-of-trust attestations were initially unavailable to accelerate time-to-market. “Even the companies building the world’s most advanced chips are making calculated security trade-offs,” he warned.
This haste, coupled with opaque model training and hardware provenance, creates a volatile mix. AI systems, especially those operating in shared or neocloud environments, could host firmware implants or malicious modifications that persist undetected.
“The scary part is that we don’t yet have frameworks to verify whether an AI model has been tampered with, retrained with bias, or subtly sabotaged,” he said.
IMAGE: Deeptech Times
The global governance gap
Despite the growing urgency, global cooperation remains fragmented. The U.S. and Europe are beginning to enforce stricter requirements, such as software bills of material (SBOM) and hardware bills of materials (HBOM), that compel manufacturers to disclose exactly what’s inside their products.
“These frameworks exist but what’s missing is teeth. Regulators need to enforce them, and auditors need to verify them,” Dobry said.
The U.S. has already moved toward requiring verifiable provenance for military and critical systems, ensuring that a sensor in a fighter jet wasn’t developed by a nation-state of concern. But outside of the West, the picture is murkier.
“In Asia, the supply chains are so diverse that governments are still maturing their oversight,” Dobry observed. “Interestingly, when I’m in the U.S., people worry about devices from China. When I’m in Asia, they worry about devices from the U.S. That tells you how trust itself has become geopolitical.”
When trust fails
No system is perfect. And when synthetic trust fails, the fallout can be severe. Governments must prepare for the day a compromised component is uncovered deep within their operational infrastructure.
“There’s often no compensating control for hardware-level compromise,” Dobry said bluntly. “Sometimes, the only solution is to remove the device from operation entirely.”
He referenced the U.S. government’s handling of Pulse Secure VPN appliances after vulnerabilities were discovered – they were ordered to be removed from networks outright. “You can’t patch trust,” he said.
However, he stressed that resilience lies in preparation. Governments should build comprehensive playbooks for incident response that include forensics, quarantine procedures and backup supply chains. The key is to assume that some level of compromise is inevitable and to design operations that can continue despite it.
A systemic AI threat
As AI becomes embedded across public and private sectors, Dobry warned of what he called “systemic threats.” These go beyond individual breaches. They threaten the integrity of entire ecosystems.
“Imagine a malicious actor implanting code into an AI training dataset or subtly altering model weights,” he said. “There’s currently no reliable mechanism to detect or reverse that. Over time, it could shift how national systems behave, from autonomous defence systems to healthcare diagnostics.”
The paradox, he noted, is that the very systems designed to enhance national security could become the vectors of its erosion.
A call to rebuild trust from the ground up
The message from Dobry is clear: national cybersecurity is no longer about firewalls and endpoints: it’s about verifiable trust at every layer of the digital ecosystem.
In a world of globalised manufacturing, geopolitical tension and AI-driven acceleration, the old assumption that ‘trusted’ equals ‘safe’ no longer holds. The era of implicit trust is over.
As Dobry put it: “We shouldn’t be trusting any nation-state if we can avoid it, especially when we’re building or defending against the technologies they produce.”
The challenge now is whether governments, and the international community, can evolve fast enough to secure the invisible infrastructure that everything else depends on. Because in the age of shadow networks, the most dangerous compromises are the ones no one sees coming.
