Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Connect Directly
E-Mail vvv

Biden's Supply Chain Initiative Depends on Cybersecurity Insights

Those helming the US supply chain executive order need to leverage standards, measurement, and the lessons cybersecurity leaders have learned.

US supply chains face a wide range of challenges, risks, and vulnerabilities. From the SolarWinds attack to the recent dependency confusion attack that breached companies like Microsoft, Apple, Uber, and Tesla, supply chain cybercrime abounds. As chief information security officers (CISOs) and security teams know, supply chain incidents have cascading effects. 

During the height of the COVID-19 pandemic, shortages of medical supplies such as personal protective equipment (PPE) for front-line healthcare workers and other critical supply shortages were a significant problem. So, in February, President Biden signed Executive Order 14017, America's Supply Chains, which calls for a comprehensive review of US supply chains to identify vulnerabilities and risks, aiming to inform how to manage them the next time a coronavirus-like event occurs. The six sectors in the EO's focus are the defense industrial base (DIB), public health, information technology and communications, power and energy, transportation, and agriculture. 

Related Content:

How to Choose the Right Cybersecurity Framework

Special Report: Tech Insights: Detecting and Preventing Insider Data Leaks

New From The Edge: 10K Hackers Defend the Planet Against Extraterrestrials

With the increasing reliance on digital products and services combined with nation-state actors' advanced tactics, making cybersecurity a key facet of the EO is critically important to overall supply chain security. The global supply chain is like an organism; if one foot falls off, the whole body goes down.

Cybersecurity Lessons for the Supply Chain
IT experts think about supply chain in a way that can inform the leaders of this project. The initiative includes identifying vulnerabilities created by the supply chain's reliance on digital products and services. Cybersecurity is a piece of the puzzle, but it must be a primary focus area. 

The EO project's success hinges on its stakeholders considering lessons from cybersecurity's supply chain risk management initiatives, including: 

  1. Identify the main weaknesses along the chain of production, determine which ones can be fixed cost-effectively, and compare that with the cost impact. Discover where the holes are and what's worth prioritizing based on criticality. 

  2. Think about the supply chain like a cybersecurity practitioner does. Cyber-risk is all about making sense of multiple sources of data, and supply chain risk is the same. Don't think about the supply chain as a single entity; rather, consider it as many entities that produce data ripe for deep risk analysis.

  3. Standardization is hard, and communication is key. As cyber experts, managing risk is what we do, vulnerabilities and risk is the language we speak in, and we've been dealing with supply chain security for years before disruptions at the scale of COVID-19 came about.

Cross-sector collaboration and a focus on strong communication across hierarchies is at the core of the cybersecurity business function. For the Biden administration's supply chain initiative to be successful, it needs to be coordinated across agencies, public entities, and private sector industry. In addition, the way the government communicates mitigation efforts, such as increased regulation, that follow the year-long project will make or break the initiative across sectors.

The best choice is to rely on standards, measurement, and cross-industry collaboration to make this happen. Other supply chain standards, such as the Cybersecurity Maturity Model Certification (CMMC), can serve as models for a data-driven approach. 

Without these considerations, we risk a lot of duplicative time, effort, and analysis, only to fail to mitigate cyber-risks and possibly result in yet another supply chain attack. We hope stakeholders will engage the information security community to bolster this project. Leveraging existing analysis by the information security community will matter to its success. 

How Do We Harden the Thing We Barely Understand?
The US supply chain isn't a chain at all; it's a network. It's an ecosystem with risks coming from all angles and multiple points of failure. Gaming out all the potential risks in the US supply chain is nearly impossible; if we understood all the dependencies and probabilities, our heads might explode. We need better analysis of advanced persistent threat (APT) incentives: What do the bad guys want? What are the low-hanging targets? What are they capable of?

Doing some scenario modeling and talking in probabilities could lead to more informed decisions regarding mitigating risk. NIST 800-30 and the FAIR model are examples of risk-quantification methods that aim to translate cybersecurity risk into dollars and cents. Understanding supply chain risk requires measurement, strong governance, input from security experts, information sharing, and advances in cyber and IT risk-management software. Instead of logging an APT's activity, start getting a fact pattern about where they may be going.

Cybersecurity has an advantage because we live to standardize data. We think through how complex and costly failure can be. Those at the helm of the supply chain initiative can learn much from us. If we do it right, we'll have a chance at understanding the ecosystem and finally securing the supply chain.

As CyberSaint's CPO and Co-Founder, Padraic is a risk and compliance product innovator supporting CISOs, CIOs, and boards of directors to manage cybersecurity as a business function. Padraic's current activity spans working directly with organizations from public agencies to ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file