Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/6/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Biden's Supply Chain Initiative Depends on Cybersecurity Insights

Those helming the US supply chain executive order need to leverage standards, measurement, and the lessons cybersecurity leaders have learned.

US supply chains face a wide range of challenges, risks, and vulnerabilities. From the SolarWinds attack to the recent dependency confusion attack that breached companies like Microsoft, Apple, Uber, and Tesla, supply chain cybercrime abounds. As chief information security officers (CISOs) and security teams know, supply chain incidents have cascading effects. 

During the height of the COVID-19 pandemic, shortages of medical supplies such as personal protective equipment (PPE) for front-line healthcare workers and other critical supply shortages were a significant problem. So, in February, President Biden signed Executive Order 14017, America's Supply Chains, which calls for a comprehensive review of US supply chains to identify vulnerabilities and risks, aiming to inform how to manage them the next time a coronavirus-like event occurs. The six sectors in the EO's focus are the defense industrial base (DIB), public health, information technology and communications, power and energy, transportation, and agriculture. 

Related Content:

How to Choose the Right Cybersecurity Framework

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

With the increasing reliance on digital products and services combined with nation-state actors' advanced tactics, making cybersecurity a key facet of the EO is critically important to overall supply chain security. The global supply chain is like an organism; if one foot falls off, the whole body goes down.

Cybersecurity Lessons for the Supply Chain
IT experts think about supply chain in a way that can inform the leaders of this project. The initiative includes identifying vulnerabilities created by the supply chain's reliance on digital products and services. Cybersecurity is a piece of the puzzle, but it must be a primary focus area. 

The EO project's success hinges on its stakeholders considering lessons from cybersecurity's supply chain risk management initiatives, including: 

  1. Identify the main weaknesses along the chain of production, determine which ones can be fixed cost-effectively, and compare that with the cost impact. Discover where the holes are and what's worth prioritizing based on criticality. 

  2. Think about the supply chain like a cybersecurity practitioner does. Cyber-risk is all about making sense of multiple sources of data, and supply chain risk is the same. Don't think about the supply chain as a single entity; rather, consider it as many entities that produce data ripe for deep risk analysis.

  3. Standardization is hard, and communication is key. As cyber experts, managing risk is what we do, vulnerabilities and risk is the language we speak in, and we've been dealing with supply chain security for years before disruptions at the scale of COVID-19 came about.

Cross-sector collaboration and a focus on strong communication across hierarchies is at the core of the cybersecurity business function. For the Biden administration's supply chain initiative to be successful, it needs to be coordinated across agencies, public entities, and private sector industry. In addition, the way the government communicates mitigation efforts, such as increased regulation, that follow the year-long project will make or break the initiative across sectors.

The best choice is to rely on standards, measurement, and cross-industry collaboration to make this happen. Other supply chain standards, such as the Cybersecurity Maturity Model Certification (CMMC), can serve as models for a data-driven approach. 

Without these considerations, we risk a lot of duplicative time, effort, and analysis, only to fail to mitigate cyber-risks and possibly result in yet another supply chain attack. We hope stakeholders will engage the information security community to bolster this project. Leveraging existing analysis by the information security community will matter to its success. 

How Do We Harden the Thing We Barely Understand?
The US supply chain isn't a chain at all; it's a network. It's an ecosystem with risks coming from all angles and multiple points of failure. Gaming out all the potential risks in the US supply chain is nearly impossible; if we understood all the dependencies and probabilities, our heads might explode. We need better analysis of advanced persistent threat (APT) incentives: What do the bad guys want? What are the low-hanging targets? What are they capable of?

Doing some scenario modeling and talking in probabilities could lead to more informed decisions regarding mitigating risk. NIST 800-30 and the FAIR model are examples of risk-quantification methods that aim to translate cybersecurity risk into dollars and cents. Understanding supply chain risk requires measurement, strong governance, input from security experts, information sharing, and advances in cyber and IT risk-management software. Instead of logging an APT's activity, start getting a fact pattern about where they may be going.

Cybersecurity has an advantage because we live to standardize data. We think through how complex and costly failure can be. Those at the helm of the supply chain initiative can learn much from us. If we do it right, we'll have a chance at understanding the ecosystem and finally securing the supply chain.

As CyberSaint's CPO and Co-Founder, Padraic is a risk and compliance product innovator supporting CISOs, CIOs, and boards of directors to manage cybersecurity as a business function. Padraic's current activity spans working directly with organizations from public agencies to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23654
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
CVE-2021-43785
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
CVE-2021-43776
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
CVE-2021-41243
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...
CVE-2021-41279
PUBLISHED: 2021-11-26
BaserCMS is an open source content management system with a focus on Japanese language support. In affected versions users with upload privilege may upload crafted zip files capable of path traversal on the host operating system. This is a vulnerability that needs to be addressed when the management...