Those helming the US supply chain executive order need to leverage standards, measurement, and the lessons cybersecurity leaders have learned.

Padraic O'Reilly, Chief Product Officer & Co-Founder of CyberSaint Security

May 6, 2021

4 Min Read

US supply chains face a wide range of challenges, risks, and vulnerabilities. From the SolarWinds attack to the recent dependency confusion attack that breached companies like Microsoft, Apple, Uber, and Tesla, supply chain cybercrime abounds. As chief information security officers (CISOs) and security teams know, supply chain incidents have cascading effects.

During the height of the COVID-19 pandemic, shortages of medical supplies such as personal protective equipment (PPE) for front-line healthcare workers and other critical supply shortages were a significant problem. So, in February, President Biden signed Executive Order 14017, America's Supply Chains, which calls for a comprehensive review of US supply chains to identify vulnerabilities and risks, aiming to inform how to manage them the next time a coronavirus-like event occurs. The six sectors in the EO's focus are the defense industrial base (DIB), public health, information technology and communications, power and energy, transportation, and agriculture.

With the increasing reliance on digital products and services combined with nation-state actors' advanced tactics, making cybersecurity a key facet of the EO is critically important to overall supply chain security. The global supply chain is like an organism; if one foot falls off, the whole body goes down.

Cybersecurity Lessons for the Supply Chain
IT experts think about supply chain in a way that can inform the leaders of this project. The initiative includes identifying vulnerabilities created by the supply chain's reliance on digital products and services. Cybersecurity is a piece of the puzzle, but it must be a primary focus area.

The EO project's success hinges on its stakeholders considering lessons from cybersecurity's supply chain risk management initiatives, including:

  1. Identify the main weaknesses along the chain of production, determine which ones can be fixed cost-effectively, and compare that with the cost impact. Discover where the holes are and what's worth prioritizing based on criticality.

  2. Think about the supply chain like a cybersecurity practitioner does. Cyber-risk is all about making sense of multiple sources of data, and supply chain risk is the same. Don't think about the supply chain as a single entity; rather, consider it as many entities that produce data ripe for deep risk analysis.

  3. Standardization is hard, and communication is key. As cyber experts, managing risk is what we do, vulnerabilities and risk is the language we speak in, and we've been dealing with supply chain security for years before disruptions at the scale of COVID-19 came about.

Cross-sector collaboration and a focus on strong communication across hierarchies is at the core of the cybersecurity business function. For the Biden administration's supply chain initiative to be successful, it needs to be coordinated across agencies, public entities, and private sector industry. In addition, the way the government communicates mitigation efforts, such as increased regulation, that follow the year-long project will make or break the initiative across sectors.

The best choice is to rely on standards, measurement, and cross-industry collaboration to make this happen. Other supply chain standards, such as the Cybersecurity Maturity Model Certification (CMMC), can serve as models for a data-driven approach.

Without these considerations, we risk a lot of duplicative time, effort, and analysis, only to fail to mitigate cyber-risks and possibly result in yet another supply chain attack. We hope stakeholders will engage the information security community to bolster this project. Leveraging existing analysis by the information security community will matter to its success.

How Do We Harden the Thing We Barely Understand?
The US supply chain isn't a chain at all; it's a network. It's an ecosystem with risks coming from all angles and multiple points of failure. Gaming out all the potential risks in the US supply chain is nearly impossible; if we understood all the dependencies and probabilities, our heads might explode. We need better analysis of advanced persistent threat (APT) incentives: What do the bad guys want? What are the low-hanging targets? What are they capable of?

Doing some scenario modeling and talking in probabilities could lead to more informed decisions regarding mitigating risk. NIST 800-30 and the FAIR model are examples of risk-quantification methods that aim to translate cybersecurity risk into dollars and cents. Understanding supply chain risk requires measurement, strong governance, input from security experts, information sharing, and advances in cyber and IT risk-management software. Instead of logging an APT's activity, start getting a fact pattern about where they may be going.

Cybersecurity has an advantage because we live to standardize data. We think through how complex and costly failure can be. Those at the helm of the supply chain initiative can learn much from us. If we do it right, we'll have a chance at understanding the ecosystem and finally securing the supply chain.

About the Author(s)

Padraic O'Reilly

Padraic O'Reilly

Chief Product Officer & Co-Founder of CyberSaint Security

As CyberSaint's CPO and Co-Founder, Padraic is a risk and compliance product innovator supporting CISOs, CIOs, and boards of directors to manage cybersecurity as a business function. Padraic's current activity spans working directly with organizations from public agencies to private companies globally to understand how to measure, track, and manage cyber-risk holistically and in real time, especially as they embark on massive digital transformation projects. Padraic is an expert in regulatory standards both in security and privacy, including the NIST Risk Management and NIST Privacy Frameworks. An expert in artificial intelligence (AI) and economic modeling, Padraic holds a patent titled, "System And Method for Monitoring And Grading A Cybersecurity Framework," which has inspired much of his work on automation for IT and cyber-risk management delivered by CyberSaint's CyberStrong platform. Padraic is passionate about delivering cutting-edge cyber-risk automation technology to enable standardization, visibility, and governance in cyber and IT.

See more from Padraic O'Reilly
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Mitre company logo
Cyberattacks & Data Breaches
Top MITRE ATT&CK Techniques and How to Defend Against ThemTop MITRE ATT&CK Techniques and How to Defend Against Them
byNate Nelson, Contributing Writer
Apr 10, 2024
4 Min Read
A medical professional wearing scrub attire clicking on a screen in front of her
Cyberattacks & Data Breaches
Round 2: Change Healthcare Targeted in Second Ransomware AttackRound 2: Change Healthcare Targeted in Second Ransomware Attack
byDark Reading Staff
Apr 8, 2024
2 Min Read
A magnifying glass being held up in front of the apple logo
Vulnerabilities & Threats
Apple Warns Users in 150 Countries of Mercenary Spyware AttacksApple Warns Users Targeted by Mercenary Spyware
byDark Reading Staff
Apr 11, 2024
1 Min Read
Reports
More Reports
White Papers
More Whitepapers
Events
More Events