US supply chains face a wide range of challenges, risks, and vulnerabilities. From the SolarWinds attack to the recent dependency confusion attack that breached companies like Microsoft, Apple, Uber, and Tesla, supply chain cybercrime abounds. As chief information security officers (CISOs) and security teams know, supply chain incidents have cascading effects.
During the height of the COVID-19 pandemic, shortages of medical supplies such as personal protective equipment (PPE) for front-line healthcare workers and other critical supply shortages were a significant problem. So, in February, President Biden signed Executive Order 14017, America's Supply Chains, which calls for a comprehensive review of US supply chains to identify vulnerabilities and risks, aiming to inform how to manage them the next time a coronavirus-like event occurs. The six sectors in the EO's focus are the defense industrial base (DIB), public health, information technology and communications, power and energy, transportation, and agriculture.
With the increasing reliance on digital products and services combined with nation-state actors' advanced tactics, making cybersecurity a key facet of the EO is critically important to overall supply chain security. The global supply chain is like an organism; if one foot falls off, the whole body goes down.
Cybersecurity Lessons for the Supply Chain
IT experts think about supply chain in a way that can inform the leaders of this project. The initiative includes identifying vulnerabilities created by the supply chain's reliance on digital products and services. Cybersecurity is a piece of the puzzle, but it must be a primary focus area.
The EO project's success hinges on its stakeholders considering lessons from cybersecurity's supply chain risk management initiatives, including:
- Identify the main weaknesses along the chain of production, determine which ones can be fixed cost-effectively, and compare that with the cost impact. Discover where the holes are and what's worth prioritizing based on criticality.
- Think about the supply chain like a cybersecurity practitioner does. Cyber-risk is all about making sense of multiple sources of data, and supply chain risk is the same. Don't think about the supply chain as a single entity; rather, consider it as many entities that produce data ripe for deep risk analysis.
- Standardization is hard, and communication is key. As cyber experts, managing risk is what we do, vulnerabilities and risk is the language we speak in, and we've been dealing with supply chain security for years before disruptions at the scale of COVID-19 came about.
Cross-sector collaboration and a focus on strong communication across hierarchies is at the core of the cybersecurity business function. For the Biden administration's supply chain initiative to be successful, it needs to be coordinated across agencies, public entities, and private sector industry. In addition, the way the government communicates mitigation efforts, such as increased regulation, that follow the year-long project will make or break the initiative across sectors.
The best choice is to rely on standards, measurement, and cross-industry collaboration to make this happen. Other supply chain standards, such as the Cybersecurity Maturity Model Certification (CMMC), can serve as models for a data-driven approach.
Without these considerations, we risk a lot of duplicative time, effort, and analysis, only to fail to mitigate cyber-risks and possibly result in yet another supply chain attack. We hope stakeholders will engage the information security community to bolster this project. Leveraging existing analysis by the information security community will matter to its success.
How Do We Harden the Thing We Barely Understand?
The US supply chain isn't a chain at all; it's a network. It's an ecosystem with risks coming from all angles and multiple points of failure. Gaming out all the potential risks in the US supply chain is nearly impossible; if we understood all the dependencies and probabilities, our heads might explode. We need better analysis of advanced persistent threat (APT) incentives: What do the bad guys want? What are the low-hanging targets? What are they capable of?
Doing some scenario modeling and talking in probabilities could lead to more informed decisions regarding mitigating risk. NIST 800-30 and the FAIR model are examples of risk-quantification methods that aim to translate cybersecurity risk into dollars and cents. Understanding supply chain risk requires measurement, strong governance, input from security experts, information sharing, and advances in cyber and IT risk-management software. Instead of logging an APT's activity, start getting a fact pattern about where they may be going.
Cybersecurity has an advantage because we live to standardize data. We think through how complex and costly failure can be. Those at the helm of the supply chain initiative can learn much from us. If we do it right, we'll have a chance at understanding the ecosystem and finally securing the supply chain.