Supply chain is under siege, agencies lack a coherent strategy

The supply chain is under siege. On Dec. 13, it was announced that hackers, alleged to be working for the Russian government, had compromised SolarWinds’ Orion network monitoring software, breaching computer systems at numerous federal agencies, large businesses, and the FireEye security firm itself, in a months-long supply chain cyberattack.

Shortly after, on Dec. 15, the Government Accountability Office publicly released a report on an investigation of 23 anonymous agencies and their supply chain risk management (SCRM) practices. GAO had previously identified seven key practices for effective SCRM. None of the 23 examined agencies had fully implemented all of them, and 60% had not implemented any at all. As a result, the report stressed, the agencies are at greater risk that malicious actors could exploit vulnerabilities in the information and communications technology (ICT) supply chain that can disrupt mission operations.

The timing of these events is not a coincidence; it is a dire warning. Our federal supply chains have been assessed, tested and found with multiple opportunities for improvement. Agencies must act now and implement policies and practices that foster operational resilience and security.

I have been working with companies and government organizations on one focused area: trying to eliminate risk in the world’s most complicated supply chains in national defense and critical financial infrastructure for over 15 years. My experience and the recent turn of events have led me to a simple conclusion: We must act quickly and decisively to implement a unified approach to SCRM and adopt new technologies — or risk further losses in a race where we are clearly stumbling at enormous cost.

Supply chains serve a critical function across nearly every facet of the global economy. Their complexity may go unnoticed when things are running smoothly. However, in the event of a tectonic shock — like the COVID-19 pandemic or the recently exposed supply chain cyber hack by the Russians — disruption unfolds quickly when the extended chain comes under massive strain.

The problem extends far beyond cybersecurity. Our defense industrial base has become increasingly dependent on exquisite, integrated platforms that rely upon extremely fragile supply chains for national security. An F-35 fighter jet, for example, is made up of hundreds of thousands of individual parts from both domestic and international suppliers. Without advanced risk management systems to actively monitor this vulnerable supply chain, there is a great deal of potential for disruption.

Richard Spencer, the former secretary of the Navy, pointedly observed: “I was always less concerned with our ability to achieve overmatch with our portfolio of weapons systems than I was with the potential of our adversaries to attack and compromise our supply chains, which are the lifeblood to mission success.”

The Department of Defense integrating the Cybersecurity Maturity Model Certification into all new contracts marks another step in the government’s ongoing efforts to protect critical supply chains from malicious adversarial activity, espionage, and data exfiltration. Any company looking to do business with the Pentagon will need to demonstrate CMMC compliance by 2025. While previously, companies could self-attest their own compliance, they are now subject to a third-party CMMC compliance assessment and enforcement mechanism.

This is just the latest of recent, long-overdue actions taken by the U.S. government to elevate supply chain security and compliance. Sections 889 and 845 of the 2019 National Defense Authorization Act have highlighted part of the problem, namely, that pervasive threats exist in our critical supply chains, requiring action to ensure that they are removed from the supply chain or that their presence is significantly reduced. However, DoD and the defense industrial base have largely been focused on the here and now, prioritizing visibility of their systems’ supply chains and their primary suppliers in the name of transparency.

From NDAA Section 889 to the hundreds of Chinese entities added in 2019-2020 and the Department of Commerce’s restricted entity list to last month’s Executive Order barring investment in Chinese firms with People’s Liberation Army ties, mitigating risks across supply chains is clearly becoming a top priority. Tracking the certification status of an organization’s entire supply chain and more broadly monitoring its suppliers’ security and compliance has never been more important – or more challenging. Given the exponential growth of supply chain cyberattacks, coupled with the tit-for-tat economic conflict between China and democracies, the focus and concerns over supply chain security and compliance will only continue to grow.

This confluence of events has created a multi-pronged threat to global supply chains that cannot be ignored. This “perfect storm” is:

  • The SolarWinds supply chain cyberattack.
  • The GAO report, citing a lack of SCRM controls at 23 anonymous agencies.
  • Section 889 Part B, which has flagged five Chinese technology companies for exclusion from the defense supply chain.
  • The implementation of CMMC, which requires further supply chain cybersecurity controls.

Taken together, these events send a clear message: To ensure our national security, we must secure our supply chains. This starts with recognizing that the whole-of-government challenge is far too wide-ranging and dynamic to be solved with stimulus checks and by simply throwing more people at the problem. DoD’s approach to this newly exposed and magnified threat has been the traditional one: of survey collection, multi-page analyst reports and occasional manpower-intensive spot-investigations, which are, as the recent GAO report shows, inadequate at any scale and cannot ensure resilience on their own.

The recent SolarWinds hack has only crystallized this approach’s failure, with many companies unsure as to whether the compromised products are in their supply chain.

Current investment levels have proven insufficient to ensure national security programs’ resilience in both the public and private sectors considering growing supply chain complexity and economy-wide consequences. Building sustained operational resilience across the government’s civilian and defense portions requires partnering with the private sector and leveraging the most innovative technology and best practices when it comes to continuous monitoring of the supply chain.

The use of artificial intelligence-driven technology is critical for discovering sub-tier supplier connections, actively assessing vulnerabilities, and mitigating future threats that are embedded layers deep in supplier networks—those that can “worm” their way through the system.

Both the federal government and the private sector (especially the critical-infrastructure, finance, tech verticals and beyond) must establish a common operating picture and a real-time system for detection, mitigation, and response.

More importantly, we need to harness the highly-targeted power of AI and machine learning, leveraging tools that provide automatic and instantaneous supplier discovery down to the Nth tier and continuous 24/7 monitoring of those suppliers, a capability that is not feasible at-scale through manual, exclusively human-driven processes.

By centralizing risk at the executive level, increasing information sharing across industry, and adopting powerful, intelligent tools that can scale with the problem, our prospects become much brighter. Specifically, that means better chances of maintaining normal operations, staying ahead of our nation’s adversaries, and arming our national security leadership and the broader defense industrial base with the agility and scale to meet today’s resiliency requirements.

Jennifer Bisceglie is the CEO of Interos, a supply chain risk management company based in Arlington, Virginia, that harnesses the power of AI and machine-learning

Copyright © 2023 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.