The COVID-19 pandemic has wreaked havoc and disruption on many aspects of security, work, and commerce. The virus has also called attention to the vulnerabilities of the supply chain, whether it be in secure sourcing and reliability of operations, or surrounding the cyber insecurities of interconnectivity.
Supply chain cyber-attacks can be perpetrated from nation state adversaries, espionage operators, criminals or hackavists. Their goals are to breach contractors, systems, companies and suppliers via the weakest links in the chain. This is often done through taking advantage of poor security practices of suppliers, embedding compromised (or counterfeit) hardware and software, or from insider threats within networks.
According to a study by the risk monitoring firm Resilience360, cyber threats facing supply chains in 2020 are rising. They found that there were nearly 300 major cybersecurity incidents impacting supply chain entities in 2019. Cybersecurity company Symantec found that there was an increase of 78% in supply chain attacks last year. They said that statistics show that these attacks are on the rise in all industries, including finance, oil, and the government sector.
For government, securing the supply chain has been an evolving priority. In recent months, the White House, the Department of Homeland Security (DHS), and the Department of Defense (DOD) all have enacted initiatives (and sought assistance) on supply chain security. These initiatives have been strongly influenced by the private sector. Clearly, supply chain security has to be a collaborative effort between government and industry effort as most vendors supporting government and owning critical infrastructure, including manufacturing, are from the private sector.
Supply chain issues are being formally adapted into security strategy by the federal government. On May 15, 2019, the White House Presidential Executive order was issued to help secure the supply chain (both public and commercial) poses an undue risk of sabotage to or subversion of the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of information and communications technology or services in the United States.
Last summer, DHS posted an RFI for Cyber Supply Chain Risk Management. It stated that “The government seeks information about capabilities that enable identification and mitigation of information and communications technology (ICT) products (e.g., hardware, software, devices) that may contain potentially malicious functionality, are counterfeit, are vulnerable due to deficient manufacturing practices within the supply chain, or are otherwise determined to enable or constitute a threat to the United States.”
Earlier last year DHS’s fiscal year 2020 budget requested $68 million and 169 employees for the National Risk Management Center. The budget included realignment of employees from DHS’ Cybersecurity and Infrastructure Security Agency (CISA) to the Center to support activities related to supply chain security. Bob Kolasky, who serves as the Director of the National Risk Management Center announced that CISA will soon release supply chain guidance that incorporates aspects of DOD’s Cybersecurity Maturity Model Certification program (CMMC).
In addition to CMMC, DoD is making thorough efforts to ensure compliance and scrutiny of vendors in their acquisition supply chains. Section 881 of the 2019 NDAA bolsters the federal government’s ability to combat supply chain risk by empowering the Secretary of Defense and the Secretaries of the Army, Navy and Air Force to exclude contractors from certain procurement actions in the interest of national security and to limit the disclosure of information relating to these exclusions.
NIST, a non-regulatory agency of the U.S. Department of Commerce has a suggested framework for supply chain security that provides sound guidelines from both government and industry.
- Identify, establish, and assess cyber supply chain risk management processes and gain
- stakeholder agreement
- Identify, prioritize, and assess suppliers and third-party supplier partners
- Develop contracts with suppliers and third-party partners to address your organization’s
- supply chain risk management goals
- Routinely assess suppliers and third-party partners using audits, test results, and other
- forms of evaluation
- Complete testing to ensure suppliers and third-party providers are able to respond to and recover from service disruption https://www.thomasnet.com/insights/new-nist-framework-focuses-on-supply-chain-security/
The remedy to fixing supply chain vulnerabilities is heightening government and industry collaboration highlighted in the policy initiatives, such as NIST, and in task forces on supply chain security established by the Executive Branch. More precisely, it requires enacting a risk management process that identifies vulnerable systems (especially legacy) and gains visibility into all the elements of the supply chain.
Other mitigation efforts can be done with employing new technologies that monitor, alert, and analyze activities in the supply chain. Artificial intelligence and machine learning tools can provide visibility and predictive analytics, and stenographic and watermark technologies can provide tracking of products and software.
As COVID-19 taught us, is also good to have diversification and multiple sourcing for suppliers in the event of a breach. Preparation and redundancy are advantageous in crisis scenarios. But like most issues in cybersecurity, it comes down to people, vigilant processes, and technologies coupled with risk factors constantly being reviewed.
About Chuck Brooks, GovCon Expert
Chuck Brooks a globally recognized thought leader and evangelist for cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named by Thompson Reuters as a “Top 50 Global Influencer in Risk, Compliance,” and by IFSEC as the “#2 Global Cybersecurity Influencer.” He is also a cybersecurity expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, and a contributor to Forbes. He has also been featured author in technology and cybersecurity blogs by IBM, AT&T, General Dynamics Mission Systems, Cylance, Xerox, and many others.
Under President George W. Bush, Chuck was appointed as the first legislative director of the DHS Science and Technology Directorate. He served as a top adviser to the late Sen. Arlen Specter, covering security and technology issues on Capitol Hill.
Chuck currently serves as faculty to Georgetown University’s graduate Applied intelligence and Cybersecurity Programs. He is president of Brooks Consulting International, a marketing and government relations firm.