Attacks on the global supply chain—sabotaging hardware components, installing malware or backdoors in software—are stuff security nightmares are made of. A new public-private task force formed by the Department of Homeland Security will help companies manage their risk.
Pretty much every kind of product or service relies on a long chain of partners and suppliers. Hardware manufacturers work with multiple suppliers for their chips and components, and software developers integrate their code with various open source frameworks and third-party libraries. It’s difficult for enterprises to know all the different players and the parts they contributed, making it tremendously challenging to have a complete assessment of what they have. And when they don’t know what they have, they don’t know if they have any vulnerable components.
The Information and Communications Technology Supply Chain Risk Management Task Force is made up of representatives from the public and private sectors. They will be meeting regularly to identify the threats to the supply chain and develop recommendations on managing risk. The task force would conduct an inventory of industry and government supply chain initiatives to understand what currently exists and not duplicate efforts.
“It is my hope that the Task Force will tackle the full spectrum of the cyber supply chain—the people, the equipment, the processes—that forms the basis of the operations of the digital society in which we live and work today,” said Edna Conway, Cisco’s chief security officer for its global value chain, a member of the Task Force’s executive committee.
The ICT Supply Chain Task Force will help the government officials understand supply chain issues and create policy recommendations. One such recommendation would be to buy hardware and software directly from original vendors and authorized resellers to reduce the risk of dealing with unknown sellers or untrusted components. The task force plans to create a list of trusted vendors according to a strict set of criteria and allow only those vendors to bid for contracts.
The task force’s initial work doesn’t seem to be focused on banning specific suppliers or countries. There has been a lot of rhetoric coming out of the government over the past year about companies being untrustworthy because of their geographic location and/or close relationships with their government. There has been a lot of rhetoric but not much on the specifics. It doesn't appear that the task force will be unilaterally saying which suppliers can't be on the trusted list. However, it will be interesting to see how the task force members create the vetted list of vendors and what criteria they use to do so. Transparency would be important to maintain trust in the way the task force creates the evaluation criteria.
Conway said to approach supply chain risk "comprehensively," the group would need to identify areas of potential impact. That may include natural disasters, geopolitical and economic disruption, workforce instability, weak infrastructure security, insufficient end-user risk awareness, and financial volatility. Supply chain risk management requires prioritizing the risk by both likelihood of occurrence and severity of impact, as well as establishing criteria for addressing impact, Conway said.
The task force, announced at the same time as the new National Risk Management Center earlier this year, has representatives from more than two dozen companies and industry groups, including Accenture, AT&T, CenturyLink, Charter, Cisco, Comcast, CTIA, CyberRx, Cybersecurity Coalition, Cyxtera, FireEye, Intel, ITI, IT-ISAC, Microsoft, NAB, NCTA, NTCA, Palo Alto Networks, Samsung, Sprint, Threat Sketch, TIA, T-Mobile, US Telecom and Verizon. From the government side, representatives from the Departments of Homeland Security, Defense, Justice, and Treasury are part of the task force, as well as representatives from the Office of the Director of National intelligence.
Enterprises and governments can no longer identify and defend against the threats in the global supply chain on their own.
“The nature of supply chain threats, because they can encompass a product’s entire life cycle…make them particularly challenging to defend against,” Christopher Krebs, the Under Secretary for the DHS National Protection and Programs Directorate, said recently. The Task Force will “seek holistic solutions” to “develop near-and long-term strategies to address supply chain risks.”