The Weakest Link

U.S. cybersecurity efforts must focus on IT supply chain.

Suppliers in potentially hostile countries are providing more of the components for major IT networks and systems used by the U.S. government, raising new concerns about the vulnerability of the federal IT supply chain. Solutions to the challenge have been elusive, but at least the government is finally focusing on the problem.

In August 2018, for example, the Pentagon outlined a new goal for contract awards based on security assessments in addition to longtime requirements for cost, schedule and performance. The change would shift to DOD’s contractors the onus for ensuring the products they supply to the military are secure.

Kari Bingen, the DOD’s deputy undersecretary for intelligence, told a House Armed Services Committee panel in June 2018 that security had to become “a fourth pillar in defense acquisition.” As such, it should become a major factor in assessing contractors’ competitiveness for U.S. government business, she says.

 A strategy report by Mitre Corp, “Deliver Uncompromised,” informs the Pentagon’s new approach. Released August 2018, the report outlines the shifting strategies of the United States’ adversaries and the need for the country to mount an adequate response.

The way wars are fought is changing, the report’s authors wrote. Adversaries now engage the U.S. asymmetrically through physical (or kinetic) means and through blended operations that take place through supply and cyber chains and human elements. At present, the intra- and inter-government actions and knowledge needed to counter these evolving threats are not fully coordinated or shared.

“Too little attention is directed toward protection of operational security or software assurance,” the report’s authors explain. “There is no consensus on roles, responsibilities, authorities and accountability, (and) responsibilities concerning threat information are ‘siloed,’ ” resulting in delayed and decisive action.

The National Institute of Standards and Technology (NIST) tackled the issue in 2015, releasing Special Publication 800-161, which provided guidance to federal agencies on how to identify, secure and assure the quality of the IT products and services they buy.

 In June 2018, the U.S. Senate introduced the Federal Acquisition Supply Chain Security Act of 2018 (S.3085). The bill’s co-sponsors, Sens. Claire McCaskill, D-Mo., and James Lankford, R-Okla., say the government can no longer afford to tackle supply chain problems on a piecemeal basis.

Their bill would establish a new cross-agency Federal Acquisition Security Council that would set policies for the supply chain and require all IT products acquired by government agencies to have a risk assessment attached.

Another bill, the Enhance Cybersecurity for Small Manufacturers Act of 2018 (S.2666), seeks to help “small manufacturers in the defense industrial supply chain” to understand and address cybersecurity threats.

 Yet the various supply chain protection activities unfolding across government won’t be enough to deal with current and future problems, McCaskill warns.

“Cybersecurity is a 21st century problem we’re still trying to tackle with 20th century solutions,” she says. “We can’t simply respond to supply chain threats piecemeal. We’ve got to have a system in place to assess these risks across the government.”