Joe Jarzombek, a cybersecurity expert at the Department of Homeland Security, recently participated in the 2015 SSCA (Software and Supply Chain Assurance) Winter Working Group Session, which focused on improving cooperation between government and industry in the area of information and communication technology assurance. The Cipher Brief spoke with Jarzombek about the threats that face supply chains and the best way to mitigate them.
The Cipher Brief: What would you say are the greatest threats to global supply chains, and why?
Joe Jarzombek: Supply chains represent the most vulnerable vector of attack to exploit enterprises that are increasingly more at risk from these external dependencies. This is due to heavy dependence on commercial Information and Communications Technology (ICT) for mission critical systems with an increasing reliance on globally-sourced ICT hardware, software, and services. Inspection of processes from both suppliers and buyers indicate there are varying levels of development/outsourcing controls; a lack of transparency in process chain of custody and varying levels of acquisition “due-diligence.” As a result, residual risk is being passed to end-user enterprises in the form of counterfeit products; defective products; products tainted with malware, exploitable weaknesses and vulnerabilities; and ICT services lacking adequate security controls. The growing technological sophistication among our adversaries has allowed them to capitalize on the exploitable aspects of the Internet that enable them to probe, penetrate, and attack us remotely. Supply chain attacks can exploit products and processes throughout the lifecycle. As such, sloppy “manufacturing cyber hygiene” and the lack of enforced liability for non-conforming products that might contain defective or tainted constructs (such as malware, exploitable weaknesses and vulnerabilities) contribute to making it easy for threat actors to exploit enterprises.
TCB: What are the most effective methods for businesses to mitigate the risks to their supply chains?
JJ: Businesses need to signal that sloppy “manufacturing cyber hygiene” is not acceptable by potential suppliers. The best signals are via purchasing contracts that need to have terms and conditions to address acceptance criteria and liability for non-conforming products. As part of purchasing practices, and prior to being used in operations, ICT components need to have been tested for malware, known vulnerabilities (CVEs in the National Vulnerability Database), and exploitable weaknesses (CWEs) that are most applicable to the technology for the deployed environment – either by testing conducted by the using enterprise or through independent third party evaluation and certification.
TCB: How do you anticipate the sources and intensity of supply chain risk to change over the next 10 years? What do you see as the primary drivers of these changes?
JJ: With the proliferation of network-connectable devices in the era of the Internet of Things (IoT), there will be more sources of supply chain risk; yet there could be a growing demand for independent testing and certification of products and devices most associated with consumer safety and business continuity. For instance, the Underwriters Labs “Cybersecurity Assurance Program” (CAP) that is already being piloted for launch in March 2016 will provide benchmark standards for network-connectable devices, starting with industrial control systems and medical devices. Businesses and consumers will be able to buy IoT products that have been tested and certified not to have known vulnerabilities, and classes of exploitable weaknesses and malware that put businesses at risk. Insurance providers will be determining coverage requirements and premiums based on how organizations have composed their infrastructure. Purchasing and using exploitable products (when certified alternatives are available) would place consumers and businesses in less than optimal insurable postures. Hacking of exploitable products and cyber insurance will be the top considerations that influence business decisions to demand more of supply chain actors.
TCB: What steps has the government taken to ensure the integrity of its supply chain and acquisitions process? What work still needs to be done?
JJ: Several departments and agencies have updated their policies and directives for acquisition to more explicitly address supply chain risk management (SCRM) by referencing security controls in NIST SP 800-161 SCRM Practices to be used by acquisition and procurement officials in contracts, including flow-down requirements to sub-tier suppliers. For instance, the Department of Defense has updated DoD Instruction 5200.44 to mitigate vulnerabilities in supply chain and systems design. DHS Sensitive Systems Policy Directive 4300A articulates Departmental polices, standards, and guidelines relevant to IT system security, and in Sept 2015 the DHS CISO released version 12 of 4300A to provide more explicit guidance for supply chain risk management. A few of the agencies have evolved their acquisition risk assessments to better address risk exposures attributable to supply chain actors and products, and GSA has worked with these agencies to develop a business due-diligence risk assessment capability with a sharable set of criteria for assessing supply chain risks in support of acquisition and procurement. While much is available for use, it is still a matter of time before broader enterprise use of SCRM becomes engrained in practice.
TCB: What lessons can businesses take away from the government’s efforts in this area? How can business and the government work together to improve supply chain security?
JJ: The government has acknowledged that it might cost more upfront to address cybersecurity in acquisition; knowing it costs much more in terms of lifecycle costs when focusing primarily on least cost in acquisition. For ICT products to be technically acceptable or ‘fit for use’ in business and government, the products must be trusted and that requires security to be explicitly addressed in the supply chain. The interagency Software & Supply Chain Assurance (SSCA) Forum and working groups have provided a public-private collaboration venue for identifying and sharing software assurance and supply chain risk management practices and controls that can be used by government and business in acquisition, development, and lifecycle support. With quarterly meetings open to the public without charge, the SSCA Forum and working groups offer excellent opportunities for business and government to continue to work together to improve supply chain security.
