The Supply Chain Risk Is Hidden in Plain Sight

When the National Counterintelligence and Security Center designated April as National Supply Chain Integrity Month, it cited threats that cost the country innovation, jobs and economic advantage. It also mentioned a reduction of U.S. military strength as the need for increased awareness. Now as we approach the one-year anniversary of that designation, threats—especially cybersecurity threats—continue to grow and evolve. These give the military-industrial base new reasons to refocus on the security of contractors, subcontractors and suppliers.

The financial risks are considerable. Counterfeit materials may not fit or perform as expected, requiring replacement with authentic ones that come with additional cost and downtime. Only a small percentage of shipped cargo is examined to see if it is counterfeit, and likely a similarly small amount is checked to see if it has malicious components.

Another problem is that older software/hardware systems in particular have “back doors” that may allow hackers to access partner networks and steal information that has incurred a lot of investment. Some newer systems also have “call home” features that surreptitiously transmit unauthorized data.

And then there are stolen goods. With so much data available, adversaries can create insider threats, targeting and enticing employees to steal products destined for a partner program and to falsify records.

Every company and agency today is an information technology organization with equipment, systems and data that are valuable and vulnerable. This presents an increased target area, and adversaries look for weaknesses in those assets and the interconnected systems of partners. For military-industrial organizations, the implications go beyond financial problems.

For example, computer manufacturers enhance their operations using Internet of Things (IoT) technology to track the location of raw materials, gauge assembly line progress and monitor the placement of finished products. As an inventory management and optimization technology, IoT is relatively new, and like other innovations it may introduce a vulnerability in the supply chain. If security protocols are not in place, then the data it collects can be misdirected, or commands can be issued to delay maintenance and cause downtime.

Another repercussion of a corrupted supply chain is how it affects critical infrastructure, such as power plants. Hackers can gain access through suppliers of raw materials or transportation companies. Or, if they try to disrupt wastewater treatment facilities, their options for entry points could be chemical suppliers or manufacturers of piping, valves and similar equipment. The result could be a public health crisis.

Internet connectivity has become a routine feature for many products. Automobile manufacturers, for example, provide it so users receive Wi-Fi, location information and maintenance notifications. It is conceivable that this data can be accessed by adversaries and used to target individuals.

Makers of 3D printers face a similar supply chain risk. If their system is compromised, the parts may appear to be printed in accordance with the specifications but actually have hidden weaknesses and can fail in critical situations.

Avoiding these scenarios first requires an understanding of potential vulnerabilities and continuous vigilance so adversaries cannot take advantage of them. The Cybersecurity Maturity Model Certification offers a starting point for partners to implement best practices, conduct audits and be informed of risks. The policies and standards associated with certification can provide some assurance to agencies about their vendors, their vendors’ manufacturing processes and the origins of the vendors’ materials so that risk can be minimized.

A second strategy for supply chain security is development of more stringent software code. Sometimes commercial off-the-shelf software provides the right solution because it has been tested by a large quantity of deployments and the time elapsed since its launch. But organizations often need some custom-built applications, and they must have adequate resources to develop, test and deploy them. The recent increase in emphasis on secure coding is welcome news.

A final point to emphasize is to avoid complacency. When operators see anomalies or hear warnings often enough, they may not register them as incidents to investigate. Program managers, software designers and everyone in the supply chain must understand the risks of working with partners. They must claim a role in eliminating vulnerabilities where possible; in cases where risk is unavoidable, they must manage it with access and process controls for manufacturing and distribution.

Maj. Gen. Jennifer Napper, USA (Ret.), is a vice president in Perspecta Inc.’s defense group. She previously served as director of cybersecurity plans and policy for the U.S. Department of Defense Cyber Command, and she led the U.S. Army’s Network Enterprise Technology Command (NETCOM).