Supply chain vulnerabilities have leapt to national attention thanks to concerns about Chinese companies Huawei and ZTE, the subsequent ban of their products from use by the federal government, and President Donald Trump’s adding Huawei to a list of entities with whom U.S. companies are prohibited from doing business.
While those actions address some of the supply chain risks from some companies, one-off bans of problematic companies will not be sufficient to protect the country. As Federal Chief Information Security Officer Grant Schneider notes, these are merely “whack-a-mole solutions to a challenge that we need a far more systemic approach to.”
The good news is that government officials are finally starting to pay attention to the vulnerability of their supply chains. Last year, the Department of Homeland Security formed an Information and Communications Technology supply chain task force filled with representatives from both the public and the private sectors. A law passed last December led to the creation of the new Federal Acquisition Security Council, which held its first meeting last month. And the White House recently released an executive order prohibiting the acquisition or use of any information and communications technology or service coming from a company deemed a national security threat.
The sudden concern is not overblown. In March, cybersecurity company Carbon Black released a report revealing that around half of all malicious cyber activities exploit supply chain vulnerabilities by “island-hopping” their way through suppliers in pursuit of a more lucrative target. In order to shore up our security, we must approach supply chain cyber risk in a systematic way. To minimize island-hopping, government and other organizations must analyze not only their own cybersecurity, but the security of the companies whose goods and services they buy and use.
The first step in assessing supply chain risk is to figure out who exactly is in an entity’s supply chain. Government contractors are tiered, and large companies at the top may not be aware of the identities and risk profiles of all of the subcontractors they rely on to deliver complex systems. As Mike Gordon, deputy chief information security officer at defense contractor Lockheed Martin, said last year, “Because of contract privity and competitive advantage, the tier one doesn’t necessarily know who in the tier four is working on a particular program, and the government does not necessarily know that either.”
Once government agencies and corporations have identified who is in their supply chain, the next step involves distinguishing which companies in their supply chain pose a threat. How can this be done?
When evaluating the risks posed by a specific supplier, there are four key factors to consider: The sensitivity of the information in question; the criticality and pervasiveness of the infrastructure at risk; the history and legal structure of the supplier’s home country; and the history and structure of the supplier—including previous instances of cyber espionage and close ties with hostile foreign government entities or figures.
Some of these factors are easier to evaluate than others. Allegations of previous espionage or foreign ties, for instance, can be difficult to prove—especially when key information is kept classified. This was the case with a 2016 report from the Defense Department’s J-2 intelligence directorate warning against use of Lenovo products at the Pentagon.
Ultimately then, in order to improve supply chain security, the DOD and federal intelligence agencies need to be more transparent about which companies pose risks and how much they rely on them. State and local government officials, as well as many private businesses, are almost certainly less informed than federal agencies on these matters. To needlessly withhold information that could help them assess their own supply chain risks is to leave American citizens more vulnerable than they should be.
Rooting out supply chain risks may be especially problematic for smaller contractors that lack cybersecurity expertise and resources. DOD Chief Information Officer Dana Deasy hopes emerging technologies can help ease the burden for many contractors. “There is definitely going to be value in looking at how do you take the entire supply base, the [National Institute of Standards and Technology] standards, the hygiene problems we see, and can you apply [artificial intelligence] to this problem to start to identify where you may most likely are going to experience problems inside your supply chain.”
Untangling the federal supply chain may strike some as an impossible task. But improving cybersecurity requires not only proper cyber hygiene at the top levels of the supply chain, but similar hygiene at the lower levels as well. Auditing such an enormous web will require significant resources and energy. But far better to use these resources to prevent malicious cyber actions than to clean up the pieces afterward.
Kathryn Waldron is a research associate at R Street Institute, where she works on issues related to national security, cybersecurity and space. Follow her on Twitter @WaldronKathryn.