The Defense Department and federal intelligence agencies need to be more transparent about which companies pose risks to national security and how much they rely on them.
China's Secret Tunnel into the Heart of America's Defense Industry
Supply chain vulnerabilities have leapt to national attention thanks to concerns about Chinese companies Huawei and ZTE, the subsequent ban of their products from use by the federal government, and President Donald Trump’s adding Huawei to a list of entities with whom U.S. companies are prohibited from doing business.
While those actions address some of the supply chain risks from some companies, one-off bans of problematic companies will not be sufficient to protect the country. As Federal Chief Information Security Officer Grant Schneider notes, these are merely “whack-a-mole solutions to a challenge that we need a far more systemic approach to.”
The good news is that government officials are finally starting to pay attention to the vulnerability of their supply chains. Last year, the Department of Homeland Security formed an Information and Communications Technology supply chain task force filled with representatives from both the public and the private sectors. A law passed last December led to the creation of the new Federal Acquisition Security Council, which held its first meeting last month. And the White House recently released an executive order prohibiting the acquisition or use of any information and communications technology or service coming from a company deemed a national security threat.
The sudden concern is not overblown. In March, cybersecurity company Carbon Black released a report revealing that around half of all malicious cyber activities exploit supply chain vulnerabilities by “island-hopping” their way through suppliers in pursuit of a more lucrative target. In order to shore up our security, we must approach supply chain cyber risk in a systematic way. To minimize island-hopping, government and other organizations must analyze not only their own cybersecurity, but the security of the companies whose goods and services they buy and use.
The first step in assessing supply chain risk is to figure out who exactly is in an entity’s supply chain. Government contractors are tiered, and large companies at the top may not be aware of the identities and risk profiles of all of the subcontractors they rely on to deliver complex systems. As Mike Gordon, deputy chief information security officer at defense contractor Lockheed Martin, said last year, “Because of contract privity and competitive advantage, the tier one doesn’t necessarily know who in the tier four is working on a particular program, and the government does not necessarily know that either.”