Like commercial organizations, the federal government increasingly relies upon supply-chain and third-party partnerships to conduct its operations. Yet, in doing so, agencies extend their cyber risk exposure, given that their partners’ security problems often emerge as their problems.
This is especially true when it comes to technology supply and systems. According to research from the Ponemon Institute, 56 percent of organizations have experienced a data beach caused by a third-party vendor, and 42 percent have suffered from a breach caused by an attack on one of their third parties.
In the U.S. government, leaders have raised awareness of the issue and started moving forward with policy and legislative responses:
- In September 2018, the White House unveiled its National Cyber Strategy, ensuring the administration would integrate supply-chain risk management into agency processes “in accordance with federal requirements that are consistent with industry best practices to better ensure the technology that the (government) deploys is secure and reliable.” The strategy calls for better information sharing among departments and agencies to improve supply-chain threat awareness; the creation of a supply-chain risk assessment shared service; and the establishment of more streamlined authorities within acquisition systems “to exclude risky vendors, products and services when justified.”
- In July of last year, Gregory C. Wilshusen, director of information security issues for the U.S. Government Accountability Office, testified before Congress that government information and communications systems rely on supply chains that are “long, complex and globally distributed and can consist of multiple tiers of outsourcing.” Subsequently, agencies may have little visibility, understanding and/or control of the technology they acquire, including the integrity, security, resilience and quality of the products and services. Global IT supply chains are introducing multiple risks to systems, he testified, including the installation of hardware or software containing malicious components that would allow attackers to take over entire systems to compromise sensitive information, disrupt operations, or launch attacks.
- Finally, the John S. McCain National Defense Authorization Act for fiscal year 2019 includes a “Permanent Supply Chain Risk Management Authority” clause, which allows Department of Defense branches to exclude contractors from supply chain-based procurements if an agency head concludes that they fail to meet qualification/evaluation standards for reducing risk.
Whether through physical or virtual access to IT systems and data, third-party suppliers stand out as a top source of risk for federal agencies and private sector enterprises due to vulnerable software and hardware, as well as poor security practices in general, according to the U.S. National Institute of Standards and Technology. In pursuing supply-chain agreements, NIST recommends that agencies ask a series of questions to determine the vigilance of a third party’s practices:
- Is the vendor’s software/hardware design process documented/repeatable/measurable?
- Is the mitigation of known vulnerabilities factored into product design?
- How does the vendor stay current on vulnerabilities?
- What physical security measures are in place?
- How does the vendor assure security through the product life cycle?
These are good questions, and, in our experience, we see government agencies asking them, often during in-person assessments and/or surveys of supply-chain/third-party candidates under consideration for contract awards. But the impact of merely asking questions is limited. It amounts to a “check the boxes” routine that never attempts to validate whether candidates actually have all of the security policies and controls in place as they claim, i.e., “Trust … But don’t verify.”
Suffice to say, that’s not good enough. Government leaders must take a more proactive, comprehensive approach to the oversight of their partners — one that incorporates continuous IT systems monitoring throughout the entire relationship, as opposed to simply asking a few questions at the beginning stages, and then assuming that everything is fine for the indefinite future.
The National Cyber Strategy appears to be taking a significant step in the right direction with regard to greater monitoring efforts. And, fortunately, there are solutions readily available that enable cybersecurity teams to do this. They establish 24/7/365 monitoring of third parties to better manage risk. They collect relevant data, observe it, contextualize it and report on it. In other words, they equip teams with the supply-chain partner intelligence required to maintain absolute awareness in real-time as to whether the relationship threatens their agency’s sensitive information and systems.
What’s more, the solutions monitor this at two key levels: First, there’s structured data, the traditional data found within the broader, public-facing internet that identifies malware, botnets, command/control infections, etc., within a third-party cyber presence that could compromise an agency.
Then, there’s unstructured data — the interactions and conversations about partners that are happening in places like the deep and dark web. The exchanges may reveal whether a bad guy is targeting a third party for an attack, for example, even specifying the intended tactics and data/time of the hit. They could also indicate whether adversaries plan to leverage the compromise of a supply chain to hack an agency, or certain individuals within an agency. With tools monitoring this without interruption, cybersecurity teams stay on top of potentially crippling weak links within the chain.
To effectively manage their risk, these teams must continuously watch over both the structured and unstructured data components of their supply chain ecosystem. Anything less would present an incomplete picture — a lack of comprehensive visibility that has now emerged as an essential pillar of a cybersecurity strategy. Don’t get me wrong … Posing questions to third-party candidates about policies and practices provides good, initial intelligence about their culture and general controls. But today’s monitoring solutions go much further, empowering teams with a “total picture” view. Without it, a great deal of supply-chain partner activity will remain out of sight and, worse yet, out of mind — leaving agencies exposed.
Brian Garmey is vice president and found of cybersecurity company LookingGlass Cyber Solutions.