There’s nothing new about supply chain attacks—or regulations designed to protect against them.
In 2008, President George W. Bush established the Comprehensive National Cybersecurity Initiative (CNCI) to protect the U.S. against the economic and national security threat posed by cyberattacks. Later that same year, President Obama ordered a review of federal efforts to protect U.S. information and critical infrastructure and the development of a plan to secure America’s digital future.
In 2009, President Obama accepted the resulting recommendations, publishing a list of 12 initiatives—including one to “Develop a multi-pronged approach for global supply chain risk management.” This document became the first federal attempt to legislate improvements to supply chain security… and it wouldn’t be the last.
Several further attempts have been made to embed supply chain risk management (SCRM) in legislative and best practice cybersecurity frameworks.
The National Institute of Standards and Technology (NIST) began work on its first SCRM framework shortly after the CNCI document was released. This led to the publication of NIST SP 800-161 in 2015. SCRM was added to the Cybersecurity Framework (CSF) in 2017 in recognition of the risk of supply chain attacks on critical infrastructure. In 2021, NIST released a further publication on SCRM best practices.
Further guidance and recommendations have been published on several occasions by the Cybersecurity and Infrastructure Security Agency (CISA) to help federal agencies understand and protect against supply chain threats. As of December 2021, NIST is in the process of updating SP 800-161, partially in response to the President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity.
But the question is: have all these initiatives, frameworks, and executive orders worked?
Things Aren’t Improving
Despite attempts to regulate improvements to SCRM, the nation’s resilience to supply chain threats remains poor. This has been highlighted by several recent and high-profile attacks, which have led to the compromise of an unknown (but very high) number of sensitive and confidential records from government agencies, critical infrastructure providers, and private sector organizations.
This should not be a surprise. In 2020, the General Accountability Office (GAO) reviewed 23 federal agencies’ SCRM practices to determine the extent to which they had implemented foundational SCRM practices. The GAO published its findings in December 2020, finding that none of the agencies had fully implemented all of the SCRM practices, and more than half had not implemented any of the practices.
The report concluded that: “As a result of these weaknesses, these agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain causing disruption to mission operations, harm to individuals, or theft of intellectual property.”
But couldn’t President Biden’s Executive Order be the turning point we’ve been waiting for? It’s possible, but is it likely?
Tom Cornelius, Senior Partner at ComplianceForge, explains:
“Executive Order 14028 only goes so far due to its requirements focus on government agencies, not private industry. The same goes for NIST publications. This misplaced reliance on “trickle-down” cybersecurity requirements is underscored by the low-adoption rate of NIST SP 800-171 for defense contractors. It highlights the significant challenges of rolling out cybersecurity requirements to private industry through purchasing-specific regulations that are limited in scope, as compared to a Federal law that can have more uniform applicability that spans industry verticals. Requirements for SCRM have to be understood and adopted by every stakeholder within the supply chain for SCRM to work.”
What Damage Could Supply Chain Attacks Cause?
Supply chain attacks against U.S. targets pose a huge threat. The country has political and economic adversaries that have a vested interest in disrupting U.S. infrastructure and stealing state and industry secrets. There is no doubt these adversaries are already searching for further targets for supply chain attacks and may well already have a foothold inside key supply chain targets, waiting for an opportunity to infiltrate high-value targets.
Some of the top risks associated with supply chain attacks include:
- Serious disruption to federal agencies, public services, or critical infrastructure.
- Loss, theft, or tampering of classified government data by criminals or nation-states.
- Theft of personally identifiable information relating to U.S. citizens.
- Theft of data or digital assets that could allow rival nations to gain an advantage over the U.S. in trade, intelligence, or military action.
These consequences aren’t limited to supply chain attacks targeting branches of the U.S. government or critical infrastructure providers.
Advanced threat groups have displayed a willingness to infiltrate other targets of interest in the private sector, including universities, pharmaceutical providers, hospitals, technology companies, and more. Common motives include espionage, sabotage, and—in the case of criminal groups—pure profit.
If EO 14028 isn’t enough to protect the U.S. against these threats, what else can be done?
Securing the Software Supply Chain
Though many organizations may not know where to begin, starting with supply chain integrity— which is ensuring your services and products are in a secure state— is ultimately the best beginning path for securing the software supply chain.
Beginning With System Integrity
Technical controls can be put into place to help identify when a supply chain attack is in process. Ultimately a system and integrity monitoring tool is key to securing an organization by providing the insight needed to identify in real-time when unexpected changes happen.
Our new report, ‘Protecting the U.S. From Software Supply Chain Attacks,’ explains why technology vendors are frequently the weak link that allows criminal and state-sponsored hacking groups to access sensitive data and systems, conduct espionage, and disrupt operations. To protect against the dangers of supply chain attacks, technology vendors must have a legal obligation to uphold a minimum standard of SCRM.
Download the report to learn:
- Why President Biden’s Executive Order and new publications from NIST and CISA aren’t enough to protect the U.S. from supply chain attacks.
- What consequences a supply chain attack could have on federal agencies, state governments, and even private organizations.
- The risk posed by unregulated technology vendors and why it’s unrealistic to expect buyers to shoulder the burden of vetting every supplier’s SCRM capabilities.
- Our proposed approach to address supply chain risk in the U.S. and how regulators could structure a legal framework for SCRM.
February 15, 2022