President's Commentary: The All-Hands Approach to Securing the Supply Chain
For too long, we have suffered from supply chain security and resilience challenges.
In 2014, for example, the Justice Department revealed that hackers affiliated with the Russian government targeted updates to industrial control systems along with supervisory control and data acquisition systems to gain access to critical energy sector systems. Additionally, in 2017, the world learned about a supply chain malware attack that initially targeted Ukraine and rapidly spread to multiple countries. The next year, a Taiwan Semiconductor Manufacturing Company (TSMC) supplier installed infected software onto some of its machines, affecting thousands of TSMC devices. And in 2020, a defense contractor’s software supply chain was hacked, ultimately affecting multiple government agencies and companies.
Furthermore, China plays an outsized role in supplying critical technologies and strategic resources to much of the world. The 2023 annual threat assessment from the U.S. intelligence community notes that China is central to global supply chains in a range of technology sectors, including semiconductors, critical minerals, batteries, solar panels and pharmaceuticals. The Chinese government has made clear its intent to increase dependencies, which comes with the constant threat of cutting off supplies.
In a three-part series of articles in this magazine’s The Cyber Edge section, AFCEA International’s Technology Committee takes an in-depth look at supply chain security. The articles cover hardware and software security and the evolution of supply chain threats. “In today’s highly connected world, all organizations rely on others for products and services. However, with the existence of globalization, these same organizations no longer have full control or visibility into their entire supply chain. It is a multiheaded hydra,” Vicki Barbur and Gretchen Stewart assert.
The good news is that recent events have once again awakened the sleeping giant. Government, industry and academia realize the grave threat to our national security and are working together to mitigate the challenges. We have seen a plethora of activities across the executive, legislative and judicial branches of government, from virtually every department and agency and from across industry, academia and the research community.
While efforts are too numerous to mention, here are a few just from the government:
- The widespread adoption of zero-trust cybersecurity practices
- The National Institute of Standards and Technology’s release of standard ISO 28000:2022
- The signing of executive orders 14017 and 14028
- The passage of the CHIPS and Science Act, which provides $280 billion for domestic semiconductor research and production
Meanwhile, private sector contributions include creating zero-trust cybersecurity practices, secure software and development operations known as DevSecOps, and secure network operations, or NetSecOps. Industry also leads in the development and adoption of new technologies, including blockchain, artificial intelligence, quantum computing and next-generation mobile.
Academia and the broader research and development community also have a role to play. Stefanie Tompkins, director of the Defense Advanced Research Projects Agency reports in this issue’s On Point column that she feels passionately about supply chain security and that it is a priority for her program managers as well. Sandia National Laboratory researchers, meanwhile, are developing new ways to design programs on quantum computers, which could aid supply chain security and resiliency as quantum technology matures.
Also, a 2020 report by the Brookings Institution suggests the federal government adopt best practices from industry and academia. “By bringing together academia, industry and government, the United States has terrific opportunities to strengthen the competitiveness, security and resilience of its supply chains to further boost its global technological, military, economic and geopolitical strength,” the report says.
For decades, we often heard the lament that software, systems and networks could never truly be secured. It sometimes seemed we were expected to throw up our hands and accept the inevitability of supply chain nonsecurity.
But we now are united in our determination, willingness to invest resources and ability to adopt emerging capabilities. And our resolve combined with emerging technologies may yet make a myth of that old lament.