This is part three in a multipart series on supply chain security. Click here for part one and part two.

The federal government encourages many forms of voluntary security measures. The National Institute of Standards and Technology has produced a voluntary cybersecurity framework that is a useful way to organize, achieve and measure security progress. But voluntary measures are insufficient when not everyone is adopting the measures.

Adversaries can and will exploit resulting gaps and wreak widespread injury through supply chain attacks directed against weak links, such as market participants indifferent to security. This exposure, unfortunately, also is present in the Department of Defense’s efforts to improve the cybersecurity of defense industrial base contractors. There, NIST Special Publication 800-171 safeguards are specified — but there is no method of assurance or assessment beyond “trust” in contractors to comply with contract terms.

An unfortunate truth about supply chain vulnerability — and especially software supply chain exposure — is the enormous attack surface and the virtually limitless number of points where an attack can be executed. Adversaries can avoid the best defended resources and most secure products (or components) and instead find weak actors and exploit insecure entry points.

Procurement measures are significant. but not sufficient

DoD has been the leader in efforts to defend against supply chain exposure. Even so, experience shows that procurement methods may not achieve effective supply chain security across the entire range of exposure.

By definition, procurement measures, such as federal acquisition regulations or contract clauses, affect only those in the chain-of-contract with the federal agency customer. While the universe of companies affected by DoD procurement measures is significant, it nonetheless represents a very small fraction of U.S. enterprises at risk.

Even where procurement methods matter, such as in DoD procurements and those of other federal agencies, today’s emphasis is on price, schedule and performance. Security requirements may be tacked on to new solicitations for supplies and services, but federal purchasers, at present, evaluate the cyber and supply chain security of contractors only in limited instances.

Federal leaders should elevate security to the point that it becomes the “fourth pillar” of the acquisition process – equal in priority to cost, schedule and performance.

Software supply chain attacks: discrete targets, broad effects.

Conventional thinking has been that adversaries seek high “return on investment” by targeting supply chain attacks in ways that achieve precise, impactful effects. The publicly reported experience with Kaspersky Labs software, however, suggests an alternative paradigm that is very dangerous: infiltration through widely installed, publicly accessible software.

Measures confined to government contractors, or which are voluntary for commercial enterprises, do little to mitigate and certainly do not defeat such threats. Commercial sources of supplies or services for government use can be unwittingly exposed to tainted, commercial-origin, widely marketed software and, conceivably, firmware in widely utilized devices.

No part of the “system development life cycle” is unexposed to software-delivered supply chain attack. Contemporary systems typically depend upon a global supply chain for parts and for software, including open-source components from sources both known and unknown. There is exposure at all points along the life cycle spectrum, from inception to end-of-life disposition.

Even industrial base issues come into play here, as the U.S. becomes increasingly dependent upon foreign sources for critical, high-performance microelectronics.

IoT: Internet of Threats

The Internet of Things is producing massive interconnection of sensors, devices and systems – and massive interdependencies among systems. Literally billions of connected devices are in our near-term future. With this connectivity, paths for attack, malware propagation and distribution grow exponentially. Detection and response to such attacks implicates many federal agencies, notably the FCC.

The FCC has a pivotal role in security of our increasingly interconnected national economy. It is the “gatekeeper” for the communications instrumentalities upon which connected systems rely in private sector and for much of the public sector.

Apart from authority to hold regulated communications service providers to higher security standards, the FCC can play an important role in shaping future network architecture so that transport layer attacks are rapidly identified and isolated — helping to mitigate the risk of “cascading” impacts across connected systems. The FCC will also have a key role in protecting U.S. interests in the development of the 5G mobile networks standard, where other nation-states may seek outcomes adverse to the U.S.

Robert Metzger is a shareholder of the law firm of Rogers, Joseph O’Donnell, PC and head of the firm’s office in Washington, D.C. As a special government employee of the Department of Defense, he was a member of the Defense Science Board (DSB) Task Force that produced the Cyber Supply Chain Report in 2017. He is active in other public-private initiatives, including cyber and supply chain security work for the MITRE Corporation.