The potential consequences of supply chain attack are severe. Recent attention has focused on hacks resulting in exposure of private information — Sony in 2014, the Office of Personnel Management in 2015 or Equifax in 2017. The loss of confidentiality of millions of personal records, and the resultant impacts upon individual privacy, are matters of great national concern.
A successful cyber-physical attack upon national infrastructure could have even worse consequences. Such attacks already have been attempted (and publicly reported) by Russia as well as Iran. Should such attacks succeed, they will produce widespread physical effects — destruction of equipment or facilities, and crippling or loss of key public assets — affecting the functioning of government, the strength of our economy, and the daily lives of millions of U.S. citizens.
The national interest is to defend against and recover from supply chain attacks. A supply chain-directed attack need not be confined to one server, one information system, one agency or enterprise, or one type of private record. Adversaries may mount simultaneous or sequential attacks on diverse industry and government sectors, related or not, with objectives that may include confusion, public frustration and leadership doubt.
Defense against such attacks and remediation requires stronger action than contract requirements and voluntary measures. Sectoral initiatives can be helpful, but they may not scale to cover the threat’s complexity or severity. Nor do they address cross- or multi-sectoral impacts.
The time to improve defenses, plan for attack, and prepare to recover is now. Waiting to act until after the event(s) is a recipe that adversaries can exploit now to their advantage. The situation today is what was predicted — and feared — just a few years ago. Restraint on the part of adversaries is unlikely, and certainly cannot be assumed. Deterrence has a role, but its operation is complicated by the “gray” nature of asymmetric conflict in cyber domains and the continuing difficulty of attribution to attackers.
Resolving tensions between government and industry
Congress has been reluctant to impose security upon the commercial sector by law or regulation. Industry has concerns about the costs and burdens of federal intervention and prefers to be free to use its superior abilities, agility and technology to deal on its own with supply chain and cyber threats.
Government and industry must work together to defend against and defeat these threats. But the stakes are too high, and the risks too great, for government to defer to industry and hope that market forces alone will produce sufficient results.
At the very least, Congress should require measures now that anticipate attack and enable prompt, effective response in the event of emergency. Threats are not directed at the government distinctly from industry. Government and industry share interests in finding common grounds and shared methods for cooperative, mutual defense.
o There is no reason other than optimism uninformed by experience to trust that only voluntary measures in the private sector will provide the needed protection to critical infrastructure. Even if some companies do it “right,” or even “better” or “best,” adversaries will attack the weaker links – and there are many enterprises indifferent to security.
o Leaders in industry will assert that they can do it better, smarter, with more agility, and with better results. That may well be true — but only for the leaders. Even then, the security of the enterprise at the end point of the supply chain does not mean that assurance extends to connected systems or to all participants in regulated industry. Incentives are needed to promote best practices in supply chain security in the private sector.
o As industry and government share exposure and will suffer similar or the same consequences of supply chain attacks, it is critical to promote means for partnership so that the private and public sectors cooperate in mutual defense and remediation when attacks occur.
Robert Metzger is a shareholder of the law firm of Rogers, Joseph O’Donnell, PC and head of the firm’s office in Washington, D.C. As a special government employee of the Department of Defense, he was a member of the Defense Science Board (DSB) Task Force that produced the Cyber Supply Chain Report in 2017. He is active in other public-private initiatives, including cyber and supply chain security work for the MITRE Corporation.