This is the first piece in a multi-part commentary series.
Nation-state adversaries have exploited supply chain vulnerabilities for various hostile purposes, including theft of IP and technical data, attacks upon control systems used for electrical utilities, and manipulation of software to achieve unauthorized access to connected systems. Not enough is done to protect against the range of supply chain threats. This presents grave exposure to federal interests.
A 2013 Defense Science Board report, “Resilient Military Systems and the Advanced Cyber Threat,” observed that the “challenge to supply chain management in a cyber-contested environment is significant.” Since that report, the challenge has only grown, and with increased dependency on “smart” devices, vulnerabilities and potential consequences have magnified. In February 2017, the DSB released a Cyber Supply Chain Task Force report, which focused on security of weapons systems against forms of supply chain attacks. This DSB report found that attack surfaces are found in the global commercial supply chain, the DoD acquisition supply chain, and the sustainment supply chain, and concluded that present capabilities to mitigate supply chain risk are limited.
Today’s picture is changed because what were forecast as possibilities now are reality. Adversaries seek ways to avoid areas of U.S. dominance and to challenge U.S. interests in cyber-enabled domains upon which our government, industry and populace rely. In contested cyberspace, traditional boundaries are blurred. Threats to the whole of government affect the whole of American society.
The Changing Nature of Supply Chain Threats
Just a few years ago, Congress enacted Section 818 of the 2012 National Defense Authorization Act to protect DoD against counterfeit electronic parts. The principal concern was the purchase and use of electronic parts that were non-authentic and would fail when installed or used in the intended environment. Supply chain threats are now understood as broader than the example of counterfeit electronics. As shown by the well-publicized experience with Kaspersky Labs anti-virus software, the “software supply chain” is at risk, raising the possibility of millions of infected computers and networks.
Software increasingly defines the boundaries, operation, and security of systems relied upon by all facets of civil society – consumer-facing, industrial, transportation, energy, healthcare, communications – as well as defense missions and management. The functionality of electronic systems increasingly is achieved through software. A modern airliner may have more than 10 million lines of code. A premium automobile may have 100 million lines of code operating 50 or more computerized engine control units. Electronic systems are increasingly command-driven through connections to remote sensors and cloud-based applications.
The co-dependency of so many varieties of software-dependent systems is accompanied by enlarged exposure to harm should adversaries choose to make supply chain or cyber-physical attacks. As software has become more complex, many developers rely upon open sources for part of the code. In some cases, these sources are not trustworthy or no established means exist to establish trust. Should open-source code be the target of malicious software insertion, great damage can be done to connected systems – and to the people and enterprises who depend upon them.
The federal government, pursuant to the Federal Information Systems Modernization Act (FISMA), has focused upon cyber threats to information and information systems. Supply chain risks extend further, to include attacks where non-conforming or counterfeit parts infiltrate the supply chain, as well as cyber-physical threats, by which adversaries introduce malware or exploit latent vulnerabilities in firmware or software to produce physical effects on connected or controlled systems.
These supply chain threats reach beyond public sector boundaries to include core industrial capabilities and every infrastructure component. Such threats are real and present – as evidenced by recent headlines.
The New York Times reported on March 15, 2018, that the Trump Administration accused Russia of cyberattacks that targeted and could have shut off nuclear power plants and water and electric systems. Another Times story, also dated March 15, 2018, described a “new kind of cyberassault’” on petrochemical facilities in Saudi Arabia. The story described the attack as “not designed to simply destroy data or shut down the plant.” Instead, the attack was “meant to sabotage the firm’s operations and trigger an explosion.”
Robert Metzger is a shareholder of the law firm of Rogers, Joseph O’Donnell, PC and head of the firm’s office in Washington, D.C. As a special government employee of the Department of Defense, he was a member of the Defense Science Board (DSB) Task Force that produced the Cyber Supply Chain Report in 2017. He is active in other public-private initiatives, including cyber and supply chain security work for the MITRE Corporation.