Lillian Ablon is an information scientist at the RAND Corporation.
There’s no better way to kick off cybersecurity awareness month than with an explosive story involving a foreign country successfully infiltrating the supply chain of U.S. companies and surreptitiously implanting malicious computer chips into components so widely used that the aftermath could ricochet around the world.
Whether the attack even happened is subject to debate. Bloomberg broke the news of China’s alleged attack earlier this month, but many experts, U.S. and U.K. security agencies and the Silicon Valley-based companies whose products were supposedly affected, all expressed strong doubt that the attack happened in the manner reported, if at all. I count myself among them.
True or not, the report fueled an important discussion about whether businesses should make security more of a priority when it comes to their supply chains. Even the simplest devices can rely on parts from multiple suppliers, which may have their own suppliers and so on. But every supplier, no matter how small, represents a potential weak link in the chain. Hardware or software can present an entry for attack. Parts and algorithms can be altered to introduce malicious behavior. The technology used to manage the supply chain that provides the parts — such as the databases that hold contracting or ordering information — can also be breached and manipulated.
Supply chain risk management, as it’s known, is the process of identifying vulnerabilities and threats to a supply chain and developing strategies to prevent a disruption anywhere along the road, from design to production to distribution. It encompasses cyber as well as more conventional threats. And yet, while every supplier in the chain needs to consider ensuring their systems are protected from tampering, identifying each supplier is a herculean task. It’s impossible to determine which ones pose the most risk if you can’t identify them, let alone try to ensure they comply with the most effective security practices. When the supplier is a continent away, the task is even more difficult.
Furthermore, the suppliers are running a business and want to maintain a competitive advantage. Companies are reticent to identify their sub-suppliers since a customer might skip the intermediary to obtain parts for less. Or a supplier lower on the chain might try to negotiate a higher price after learning what fancy product is being manufactured.
Solutions — largely commercially available products and frameworks — do exist to help manage supply-chain risks posed by conventional threats, including disruptions in operations caused by natural disasters, financial failures or poor-quality products. They offer features like geographic visualization that give locations and transportation routes of critical assets in the supply chain, real-time monitoring that provides news and updates about suppliers and compliance trackers to keep track of industry regulations.
But none of these solutions magically provides full visibility into a product’s supply chain and processes, and most do not explicitly address vulnerabilities and threats specific to cybersecurity. This is likely because the cyber component of supply chain risk management is so nascent, and it is already a challenge to address conventional risks.
Furthermore, the unwillingness or inability of suppliers to share specific details about their supply chains could hamper the effectiveness of such solutions. While some sub-tier suppliers, in particular those supplying the Department of Defense, are required to report their security posture back to the top-level company or agency purchasing the product, there is often no oversight or auditing to make them prove they are maintaining appropriate security standards. Having formal requirements for doing so could help in selecting “less risky” suppliers and might reduce the overall likelihood of malicious manipulation.
One way to create such oversight is for the government to create a new authority that focuses on supply chain security and has the power to conduct meaningful audits. Or the task could be shared by existing organizations that already assess conventional supply chain risk.
Even if the the “Big Hack,” as Bloomberg called it, never happened, it serves as a potent reminder of the cybersecurity risks to the supply chain. Companies also need to do their part by establishing internal teams to oversee and guide risk assessments and audits of suppliers, lengthen timelines for production to make it easier to monitor the supply chain, and purchase goods from suppliers that comply with basic cybersecurity standards and are verified by an independent third-party organization.
Functionality, timeliness and profitability are often at odds with security — until a cyberattack occurs. When an actual attack on the supply chain occurs, manufacturers and purchasers should be better positioned to respond and recover. Even in this modern high-tech era, old-fashioned oversight could make all the difference.