When the talk turns to cybersecurity, most people think about cyber attacks, trusted Internet connections and malicious bots. But do they think about the security of the supply chain that brings routers, switches, and other hardware and software components into your network to prosecute your mission?
That was the focus of Wednesday morning's panel discussion opening the second day of TechNet Land Forces East in Baltimore. Moderator Jarrellann Filsinger, security engineer at the National Archives and Records Administration's Information Assurance Office, said it is more important than ever for information technology managers to know what they are buying.
Dan Wolf, president of Cyber Pack Ventures, described the risks that need to be considered. Among these risks are the increasing dependency of manufacturers on foreign sources and subcontractors, the existence of counterfeit products being sold that work for no longer than 20 minutes, more products containing components designed with malicious intent and equipment sourcing that reflects what some say is the United States having ceded its technological edge in some areas.
Wolf observed that supply chain concerns in the cybersecurity area need to be addressed in the Federal Acquisition Regulations, and he asked if threat evaluations and assessments should become part of the acquisitions process.
Barbara Fast, vice president and senior adviser on cybersecurity, CGI, discussed the importance of allowing identification of best practices, methods for risk assessment and incident reporting, and solutions that can be shared with the public and private sector in a timely manner.
Returning to the issue of counterfeit products, Jim Payne, president of the public sector for Z&A Infotek, said that the current trend of only buying on the basis of price must be balanced by the need to buy products that actually do the job they say they will do. Payne also asserted that penalties should be considered for companies whose products do not do what they say.
Wolf stressed the need to revamp international standards bodies to account for cybersecurity. But Fast said that at the end of the day, it is best to think of the current environment as a "bad neighborhood," and that government and industry both need to do a better job of managing risk.
Much of the content discussed in this panel is explored in depth in a White Paper, "Supply Chain Risk Management Awareness."