The production of information and communications technology (ICT) relies upon a complex assembly line that traverses the globe. Parts are manufactured in one country and assembled into components in another. Software may be designed and coded in different locations and then embedded in hardware in a factory located in yet another country. All of these exchanges present opportunities to introduce modifications that could impact the integrity of the product and its intended use.
ICT includes key technologies involved in digital transformation, such as broadband networks, the Internet of things and artificial intelligence systems. To get an idea of the ICT supply chain risks in the federal government, as well as guidance for managing that risk, read the National Institute of Standards and Technology’s “Supply Chain Risk Management Practices for Federal Information Systems and Organizations.”
If a federal agency purchases products that might have been compromised at some stage during their manufacture, assembly or delivery, the agency itself risks a security breach. A number of initiatives are attempting to address this critical concern, including:
- The Department of Homeland Security (DHS) is creating the DHS ICT Supply Chain Task Force. The task force will partner with industry to work on near- and long-term solutions to manage strategic risks through policy initiatives.
- Several recently-passed statutes address protection of the government’s supply chain. Most notably, the Federal Acquisition Supply Chain Risk Security Act of 2018 establishes the roles and responsibilities for the agencies responsible for managing supply chain risk in government procurements.
- The Department of Defense is currently looking to include supply chain risk as a factor to consider in source selection evaluations.
- Section 514 of the Commerce, Justice, Science, and Related Agencies Appropriations Act prohibits funds for ICT acquisitions unless the acquiring agencies have done their due diligence through an assessment of the supply chain risk of the technology being acquired.
This increased level of attention comes after several events that were not widely publicized. These include documented cases of foreign manufacturers using ICT to maliciously target U.S. entities. The concern has risen to a level that some firms have been listed by name in legislation prohibiting procurement of equipment they manufacture.
The challenge, however, is being able to identify the providers of all components of an ICT device, as a product sold by a U.S. technology firm could use parts manufactured by hostile nation states. In some cases, component suppliers may be several layers removed from the vendor, and the selling organization may have no visibility into all parties contributing to the end product.
Threats to the federal supply chain are not new and were first recognized over 40 years ago. In a 1974 security evaluation for the Multics System—a mainframe introduced in 1965—Air Force officers Paul Karger and Roger Schell noted that, "Trap doors can be inserted during the distribution phase. If updates are sent via insecure communications—either U.S. Mail or insecure telecommunications—the penetrator can intercept the update and subtly modify it. The penetrator could also generate his own updates and distribute them using forged stationery.”
The U.S. Mail and forged stationery were dangerous enough 40 years ago. Today, there are far more creative ways to attack the supply chain.
Is this issue too big to handle?
Securing the global supply chain presents challenges to national security and the global economy. Unfortunately the countries and companies being targeted by legislation are often the source of the low-cost labor that enables firms to competitively price their products.
Understanding the complete flow of a product through all of its stages of production (which may include uninspected manufacturing facilities) is not easy. However, the current climate is going to force firms to look more closely at the way products are manufactured and sold to the market. In some cases, a manufacturer’s supply chain could exclude it from bidding on federal procurements. And, as several corporations and executives have learned recently, a negative report about a security incident can be very costly—affecting both potential business and the broader brand reputation.
Where to start
As with all elements of a successful security program, attention to detail is critical. Agencies need to understand and document their supply chains to not only include their suppliers but also their suppliers’ suppliers. A few good questions to ask include:
- Where are all of the components being manufactured?
- Are there any parts of the chain that are foreign-owned?
- Who has access to the products and the equipment used in the manufacturing process?
- Are there physical and environmental controls to maintain the integrity of the product?
Don’t assume your agency has these answers already. Ask for and require thorough, specific responses.
The global supply chain is yet another risk that needs to be managed to safeguard information and information assets. While there may be a low probability of occurrence, there is a very high impact when compromised. While it is good to see legislation being developed and committees formed to assess the problem, it is more important that agencies recognize the risk and take actions to mitigate the risk and exposure.
For more insight on protecting agencies from threats, read my previous blog post “Treating cybersecurity like workplace safety.”