Supply chain security is a problem that crosses traditional boundaries. One sector can be exposed to or impacted by an attack upon another, or even be used as a vehicle. Lines between cyber effects and physical results are blurred by the nature of cyber-physical attacks that use software to deny, damage or destroy physical assets.
Hostile nations can conduct asymmetric warfare by use of supply chain-directed attacks as surrogates or alternates for conventional military power. In this context, defense of the homeland requires actions coordinated among the civilian agencies, the Department of Defense and the intelligence community.
Cross-agency action on threat information is needed. Adversaries’ tactics, techniques and procedures in supply chain attacks are known or knowable to the IC and other specialized assets of the U.S. government. Methods to deter or respond to such attacks may reside in the DoD and its components. The National Protection and Programs Directorate (NPPD) of DHS has many responsibilities and resources for protection of domestic infrastructure and industry.
Understanding how an adversary may attack, its methods, and where attacks have been attempted (globally) is key to informing deflection of threats, detection of events, protection and recovery. An effective national response to supply chain threats utilizes all-source intelligence and coordinated collection and analysis. Both DHS and DoD now are moving in this direction.
Reforming, empowering, evaluating
There is widespread enthusiasm for measures that will “reform” federal procurement to reduce barriers to commercial sources, encourage innovation, speed purchase and delivery, and eliminate the regulatory cost premium.
In the 2016 National Defense Authorization Act, Congress authorized an independent advisory panel on streamlining and codifying acquisition regulations (the “section 809 panel”). Improved security was not in the charter of the section 809 panel, but there is potential tension between security objectives. That can add time, expense and federal-specific demands to acquisitions, and the objectives of section 809 and similar reform efforts.
The solution may be to establish risk-informed categories for DoD procurement such that greater security obligations are imposed upon the “higher” tiers but minimized for commodity, commercial-off-the-shelf and other low-risk items.
Congress allows DoD to exclude “high risk” supply chain sources, and now DoD is working to better utilize that authority. The Kaspersky Labs example is one where national interest led to the exclusion of a suspect source.
Reportedly, DoD is now working on a software “do not buy” list. Congress is looking at extending this authority to other departments and agencies, and at other measures to prevent contracting with the enemy on a whole-of-government basis.
Such initiatives will have significant effect upon thousands of private-sector enterprises. Agencies need to improve coordination to produce consistent goals, uniform measures and fair process. NIST can play an especially important role here, given the widespread private sector use of the cybersecurity framework.
Agencies should wield the power
As the threat environment worsens, regulatory agencies should be ready to use their authority on a coordinated basis to improve supply chain defenses, promote resiliency and enable recovery. While regulatory agencies have limited purchasing leverage, they have sweeping authority over enterprises subject to their oversight.
In some cases, regulatory agencies can condition market access upon or otherwise mandate security measures. They have authority over market entry, licensing, approvals, qualification, eligibility and more. They should use that authority to inform, instruct, enable, and assess self-improvement. But they should hold in reserve the authority to require improved security.
International measures require multi-agency coordination. There are distinct U.S. interests in protecting supply chain security for our Government, and for our national economy. But supply chain security also affects our allies and other trading partners; truly, it is an international problem.
Ultimately, the U.S. cannot “go it alone” or separate itself from a global supply chain.
For this among many other reasons, solutions to supply chain risks will involve international cooperation. Important measures may be achieved through international agreement, and international organizations will play a critical role in setting standards and best practices. It may be advantageous to U.S. interests to promote a council of allied countries to exchange information about supply chain vulnerabilities and responses.
Past doctrines, historical methods and legacy techniques have limited value today. Conventional thinking needs to change to confront the contemporary threat environment. New actions are necessary to challenge orthodoxy and adroitly secure the supply chain.