Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

// // //
5/6/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv

Biden's Supply Chain Initiative Depends on Cybersecurity Insights

Those helming the US supply chain executive order need to leverage standards, measurement, and the lessons cybersecurity leaders have learned.

US supply chains face a wide range of challenges, risks, and vulnerabilities. From the SolarWinds attack to the recent dependency confusion attack that breached companies like Microsoft, Apple, Uber, and Tesla, supply chain cybercrime abounds. As chief information security officers (CISOs) and security teams know, supply chain incidents have cascading effects. 

During the height of the COVID-19 pandemic, shortages of medical supplies such as personal protective equipment (PPE) for front-line healthcare workers and other critical supply shortages were a significant problem. So, in February, President Biden signed Executive Order 14017, America's Supply Chains, which calls for a comprehensive review of US supply chains to identify vulnerabilities and risks, aiming to inform how to manage them the next time a coronavirus-like event occurs. The six sectors in the EO's focus are the defense industrial base (DIB), public health, information technology and communications, power and energy, transportation, and agriculture. 

Related Content:

How to Choose the Right Cybersecurity Framework

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

With the increasing reliance on digital products and services combined with nation-state actors' advanced tactics, making cybersecurity a key facet of the EO is critically important to overall supply chain security. The global supply chain is like an organism; if one foot falls off, the whole body goes down.

Cybersecurity Lessons for the Supply Chain
IT experts think about supply chain in a way that can inform the leaders of this project. The initiative includes identifying vulnerabilities created by the supply chain's reliance on digital products and services. Cybersecurity is a piece of the puzzle, but it must be a primary focus area. 

The EO project's success hinges on its stakeholders considering lessons from cybersecurity's supply chain risk management initiatives, including: 

  1. Identify the main weaknesses along the chain of production, determine which ones can be fixed cost-effectively, and compare that with the cost impact. Discover where the holes are and what's worth prioritizing based on criticality. 

  2. Think about the supply chain like a cybersecurity practitioner does. Cyber-risk is all about making sense of multiple sources of data, and supply chain risk is the same. Don't think about the supply chain as a single entity; rather, consider it as many entities that produce data ripe for deep risk analysis.

  3. Standardization is hard, and communication is key. As cyber experts, managing risk is what we do, vulnerabilities and risk is the language we speak in, and we've been dealing with supply chain security for years before disruptions at the scale of COVID-19 came about.

Cross-sector collaboration and a focus on strong communication across hierarchies is at the core of the cybersecurity business function. For the Biden administration's supply chain initiative to be successful, it needs to be coordinated across agencies, public entities, and private sector industry. In addition, the way the government communicates mitigation efforts, such as increased regulation, that follow the year-long project will make or break the initiative across sectors.

The best choice is to rely on standards, measurement, and cross-industry collaboration to make this happen. Other supply chain standards, such as the Cybersecurity Maturity Model Certification (CMMC), can serve as models for a data-driven approach. 

Without these considerations, we risk a lot of duplicative time, effort, and analysis, only to fail to mitigate cyber-risks and possibly result in yet another supply chain attack. We hope stakeholders will engage the information security community to bolster this project. Leveraging existing analysis by the information security community will matter to its success. 

How Do We Harden the Thing We Barely Understand?
The US supply chain isn't a chain at all; it's a network. It's an ecosystem with risks coming from all angles and multiple points of failure. Gaming out all the potential risks in the US supply chain is nearly impossible; if we understood all the dependencies and probabilities, our heads might explode. We need better analysis of advanced persistent threat (APT) incentives: What do the bad guys want? What are the low-hanging targets? What are they capable of?

Doing some scenario modeling and talking in probabilities could lead to more informed decisions regarding mitigating risk. NIST 800-30 and the FAIR model are examples of risk-quantification methods that aim to translate cybersecurity risk into dollars and cents. Understanding supply chain risk requires measurement, strong governance, input from security experts, information sharing, and advances in cyber and IT risk-management software. Instead of logging an APT's activity, start getting a fact pattern about where they may be going.

Cybersecurity has an advantage because we live to standardize data. We think through how complex and costly failure can be. Those at the helm of the supply chain initiative can learn much from us. If we do it right, we'll have a chance at understanding the ecosystem and finally securing the supply chain.

As CyberSaint's CPO and Co-Founder, Padraic is a risk and compliance product innovator supporting CISOs, CIOs, and boards of directors to manage cybersecurity as a business function. Padraic's current activity spans working directly with organizations from public agencies to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-45217
PUBLISHED: 2022-12-07
A cross-site scripting (XSS) vulnerability in Book Store Management System v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Level parameter under the Add New System User module.
CVE-2022-39044
PUBLISHED: 2022-12-07
Hidden functionality vulnerability in multiple Buffalo network devices allows a network-adjacent attacker with an administrative privilege to execute an arbitrary OS command. The affected products/versions are as follows: WCR-300 firmware Ver. 1.87 and earlier, WHR-HP-G300N firmware Ver. 2.00 and ea...
CVE-2022-40966
PUBLISHED: 2022-12-07
Authentication bypass vulnerability in multiple Buffalo network devices allows a network-adjacent attacker to bypass authentication and access the device. The affected products/versions are as follows: WCR-300 firmware Ver. 1.87 and earlier, WHR-HP-G300N firmware Ver. 2.00 and earlier, WHR-HP-GN fir...
CVE-2022-42458
PUBLISHED: 2022-12-07
Authentication bypass using an alternate path or channel vulnerability in bingo!CMS version1.7.4.1 and earlier allows a remote unauthenticated attacker to upload an arbitrary file. As a result, an arbitrary script may be executed and/or a file may be altered.
CVE-2022-45910
PUBLISHED: 2022-12-07
Improper neutralization of special elements used in an LDAP query ('LDAP Injection') vulnerability in ActiveDirectory and Sharepoint ActiveDirectory authority connectors of Apache ManifoldCF allows an attacker to manipulate the LDAP search queries (DoS, additional queries, filter manipulation) durin...