In February, President Joe Biden signed Executive Order 14017, calling for a comprehensive review of critical U.S. supply chains. The action was in response to shortages of medical supplies such as personal protective equipment (PPE) for front-line healthcare workers during the height of the COVID-19 pandemic. Other needs identified by the order included semiconductor chips for the automotive industry and other high-tech applications.
These issues hinder Americans’ ability to obtain essential products, and create instability for workers in affected industries. The goal of the new order, according to the White House, is to proactively address such issues before they recur.
“While we cannot predict what crisis will hit us, we should have the capacity to respond quickly in the face of challenges,” the White House said. “The United States must ensure that production shortages, trade disruptions, natural disasters, and potential actions by foreign competitors and adversaries never leave the United States vulnerable again.”
The President’s campaign made it clear that his Administration is committed to addressing supply-chain risks comprehensively. But will the initiative succeed?
From a security standpoint, there are a number of issues that the Administration should consider. Failure to do so will result in duplicative time and effort, wasting resources while failing to mitigate cyber risks that could result in another supply-chain attack.
The first step to ensuring the security of U.S. supply chains is to identify their vulnerabilities and risks. Biden’s executive order focuses on six sectors: the defense industrial base, public health, information technology and communications, power and energy, transportation, and agriculture.
The reliance of supply chains on digital products and services has created serious vulnerabilities, making cybersecurity an essential part of the review. The fear that a nation-state actor could decide to hold up the supply chain via cybercrime is real. Section 4.4 of the executive order makes it clear that cyber risk management is a key concern and area of focus. Within a year, reports must be submitted covering the current state of supply chains’ reliance on competitor nations. How the government engages the information-security community for this purpose will make or break the initiative across all sectors.
Ensuring Results in One Year
The undertaking covers a lot of territory for a single-year timeframe. It’s critical that the information security and technology community, drawing on lessons from the past year, provide input to the parties that are driving the initiative. The efforts of industry groups such as information sharing and analysis centers (ISACs) and the IT Sector Coordinating Council (ITSCC) will be core to success. In addition, there’s a mountain of data and analytics coming out of the big four consulting firms on which risks to prioritize when dealing with third parties.
The U.S. Department of Defense should play a key role in helping the initiative to roll out seamlessly. A comparable effort being overseen by DOD is the Cybersecurity Maturity Model Certification (CMMC), requiring suppliers of government-contracted materials to meet specific standards. One key piece of advice, based on public and private reaction to the CMMC thus far, is to avoid as much as possible mixing contract award and review processes. Sector industry leaders and government agencies should work together to decide on a simple yet effective standard for cyber across the various supply chains simply.
The Importance of Standardization
Creating the right partnerships and obtaining input from information security experts is one thing, but ensuring increased cybersecurity maturity across U.S. supply chains is quite another. Communication is the one element that can make or break new requirements when rolled out to an ecosystem this large. It’s driven by measurement, with results standardized across groups regardless of their level of cybersecurity maturity. Standards such as the NIST CSF Supply Chain Risk Management subcategory or previously mentioned CMMC are great tools for making requirements clear, and implementing them effectively across supply chains. The cyber-assessment methodologies under NIST CSF are especially valuable in providing context for suppliers with little knowledge of information security.
When it comes to measurement, gaming out all of the potential risks in U.S. supply chains is impossible, given the complexity of global supply-chain ecosystems. It’s nevertheless valuable to identify scenarios that examine various potential points of failure. Leveraging existing risk-quantification methodologies in creative ways is key to achieving true resilience. It’s essential that companies understand supply-chain risk as a means of achieving good governance, drawing on input from security teams, data and information sharing, and advances in risk-management software.
One can only hope that Biden’s supply-chain initiative will take advantage of existing data from past events, and predictive analyses about the future. Can the entire supply chain be benchmarked, and all vulnerabilities be identified in a single year? And can we mitigate the severe cyber risk in U.S. supply chains? That remains to be seen.
Padraic O'Reilly is co-founder and chief product officer of CyberSaint.
Timely, incisive articles delivered directly to your inbox.