Supply chain security is tricky: Organizations have to make sure they aren’t using components from untrustworthy vendors or suppliers, but they don’t know which ones to avoid.
The Cybersecurity Information Sharing Act (passed in 2015) created a system for sharing information about specific “cyber threat indicators,” but that refers to elements such as suspicious emails and network activities. Organizations can share threat indicators, attack information, and vulnerabilities with each other and with the government formally via information-sharing partnerships and repositories or informally through personal contacts. Supply chain threats such as backdoors in software or intentionally tampered with components don’t really fall within the law’s scope.
There really isn’t a formal mechanism that helps organizations identify and report suppliers and vendors they don’t think should be trusted. In fact, if the organization voice concerns about the cybersecurity risks of vendors or products, the organization could face significant legal penalties.
If a company “comes across an issue with an untrusted vendor, they have significant civil litigation risk for publicly outing that company,” Christopher Krebs, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, told Sen. James Lankford during a Senate committee hearing on supply chain security.
The concerns could be something about software or some pattern of activity on a piece of equipment, and being able to share with peers at other companies would be “beneficial,” but there were multiple reasons not to say anything publicly, Robert Mayer, senior vice president for cybersecurity at USTelecom, told the House Homeland Security Committee at a separate hearing on supply chain, in mid-October.
“Information about suspect suppliers cannot be freely exchanged when enterprises are subject to a variety of legal actions, including violations of federal or state anti-trust laws, anti-competitive behaviors or deceptive trade practices,” Mayer said in his prepared remarks.
CISA’s ICT Supply Chain Risk Management Task Force has been looking at the challenges companies and governments face in sharing protecting the supply chain, and one of the task force’s goal is to develop recommendations on how information can be shared. The Task Force identified “current gaps” in the government’s ability to collect relevant information on bad actors, use the information when evaluating vendors, and to share that information with the private sector, Krebs said in his prepared remarks to the Senate Committee on Homeland Security and Government Reform.
“Crucially, the Task Force also identified limitations on private-to-private information sharing on supply chain risks because of lingering legal concerns,” Krebs said. A working group within the Task Force will made recommendations for legal and regulatory changes so that this kind of enhanced information sharing can be possible, Krebs said.
Krebs also noted that companies in nuclear power industry are required to notify regulators of risky suppliers, but that other “high-risk areas of infrastructure” don’t have this kind of regulatory requirement.
Organizations are increasingly including their supply chain and third-party partnerships in their risk calculations, said Michael Clauser, global head of data and trust at public policy firm Access Partnership. However, just because this kind of assessment is becoming more common doesn’t mean it isn’t still a subjective process. The assessments “may be predicated on judgement calls with imperfect levels of confidence,” Clauser said.
“Unlike the sharing of technical cyber threat indicators, sharing assessments of third-party and vendor trust is a less mature and defined process,” Clauser said. Public disclosure has its own challenges. There aren’t set standards on what a supplier should do, and getting agreement on what constitutes a risk would be difficult, as something that is risky for one company isn’t necessarily risky for another. Problems in the supply chain aren’t always malicious or intentional—quite often the risks have more to do with operational process, such as storing in an exposed database in the cloud, said Chris Morales, head of security analytics at Vectra. In those situations, it would be easier to “personally assess vendors in the supply chain and then work with those key vendors to correct the problem.”
“Supply chain security is a dynamic and fluid attack surface and not static,” Morales said.
Congress should explore ways to give incentives to private sector firms to share information about things they found untrustworthy during their own due diligence. Appropriate protections can mean financial incentives or providing legal cover so that companies don’t have to worry about litigation. Another option—which the ICT Task Force is currently working on—is to have the federal government set a supply chain standard for its agencies and departments. If suppliers and vendors had to make sure they met the government’s requirements, that would have a downstream effect for the rest of the market.
“Make it easier for companies to share information on risky vendors that they come across, and make it similar easy for me to share that information,” Krebs said at the hearing.