Fears of a full-on cyberattack, or more insidious scattered technical invasions, have escalated since the 2016 U.S. presidential election was found to be influenced by foreign hacking. More recently, unrest in the Middle East following U.S. threats of war against Iran, as well as the 2020 elections have fueled concerns about vulnerability in the American government’s technical supply chain.
At the same time the U.S. government is working to prevent foreign telecommunications firms like China-based Huawei from building 5G networks in the United States, as well as for allies’ networks that they could breach, the country could face a more menacing risk from its own IT supply chain exposure.
Comprehensive policies lacking
The U.S.-China Economic and Security Review Commission in a 2018 report on this threat declared that U.S. government laws and policies do not currently address supply chain risk management comprehensively. The commission, created by Congress to report on the national security implications of the U.S.-China trade relationship, stated that Chinese companies are used to further state goals and target U.S. federal networks and those of its contractors.
“The U.S. government needs a national strategy for supply chain risk management (SCRM) of commercial supply chain vulnerabilities in U.S. federal information and communications technology (ICT), including procurement linked to the People’s Republic of China,” the report warned.
Future risks to the supply chain will involve software, cloud-based infrastructures and hyper-converged products, rather than simply hardware, the report said. The business alliances, investment sources and joint research of vendors, suppliers or manufacturers are also sources of risk that are not always included in traditional supply chain risk assessment.
Similar worries plague large private-sector organizations, and for good reason: Securing a complex technology supply chain can’t begin until it’s understood where the dangers lie, and how to implement a course of action that builds resiliency in that supply chain.
The U.S. government’s chief information security officer, Grant Schneider, in December 2019 told a technology security summit that there are still few answers on how to secure the government’s technology supply chain. “Could [a company] come under the influence of a foreign adversary in any way shape or form? Is there quality where we need it to be? … How do we ensure their supply chain and the parts that they’re taking in and putting inside their box are actually the parts they’re expecting?”
Who should be the auditor?
The federal government isn’t certain whether it should conduct its own assessments of which technology contractors in its chain are meeting requirements, or whether that assessment function should be handled by a third party, Schneider admitted. The vetting responsibility gains urgency when you realize many of the U.S. government’s technology suppliers are foreign entities that could be susceptible to interference by adversarial nations or rogue terrorist actors.
In light of the unease of the U.S. government’s top cybersecurity boss over weaknesses in the nation’s technology supply chain, here are several recommendation on how to keep you supply chain secure.
- First, agree on a consistent standard. Standards like ISO 28000, which outline specific requirements for a security management system, including aspects critical to security assurance of the supply chain, or the U.S. National Institute of Standards and Technology (NIST) framework, which provides voluntary guidance, based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk are both excellent starting points. Regardless of which standard is chosen, a clear set of requirements for the government or business to follow can help ensure technology supply chains are secure.
- Build supply chain security into contracting requirements. Make it mandatory for bidding that companies abide by particular supply chain security requirements.
- Include supply chain security requirements in regular audits of vendors and contractors, benchmarking them against the standard, and include these measurements in evaluations of overall vendor performance.
- Be active in building databases of supply chain security-related incidents and suppliers that have been identified as higher-risk. Intelligence-sharing among government agencies, between government and the private sector and within a company’s industry would help in this area as well, to ensure that organizations are more prepared for emerging perils and can avoid common pitfalls once they realize they have them with their suppliers.
- Continue to stress the importance of corporate due diligence. This is already a priority from an anti-corruption perspective, but it should be extended as a general supply chain measure. Suppliers should be vetted for their possible connections to foreign governments (or “politically exposed persons,” in the parlance of due diligence) to determine how much influence those foreign governments may have over them.
To address sensitive, mission-critical challenges like the U.S. government faces today with its technology pipeline, organizations need to understand where their vulnerabilities lie and take actions that build resiliency into the supply chain. There are always numerous risks in every supply chain. Comprehending those risks, where they exist, and their predictability helps governments — and all organizations — mitigate the delays, costs and dangers that can result.
Tony is a supply chain risk consultant at BSI Supply Chain Services and Solutions with a range of specialized skill sets, including experience in conducting end-to-end, enterprise-level supply chain risk assessments for clients and their supply chain partners. Tony has led assessments where he models, forecasts and quantifies the risk of cargo theft, counterfeiting and other supply chain risks, and has assessed over $50 billion in trade in the electronics, pharmaceutical and consumer products industries over the past three years.