Over the past several years cyber criminals have put their focus on supply chain vulnerabilities as a means of gaining access to information ranging from trade secrets to, citizens’ personally identifiable data (PII), to manufacturing information for military weapons and systems. This week SolarWinds, and IT network management and monitoring software company, announced that criminal hackers injected malware into its Orion platform by exploiting a software update earlier this year. SolarWinds boasted on its website a customer base that reached 300,000 organizations worldwide including all five branches of the U.S. Military, the Pentagon, the DoD, the U.K. Defense Center, as well as many other high-profile civilian and government agencies from around the world making it the perfect target for a supply chain attack. It is estimated that 18,000 customers have been affected by the malware and according to reports, the Pentagon, the Department of Treasury, and the Department of Homeland Security have been infiltrated. This was a highly sophisticated APT attack with apparent nation-state backing.
Supply Chain Cyber Maturity
The United States Department of Defense has recently recognized that the threat to its supply chain is at an all-time high. So much so that in 2019 it revamped the process by which the defense industrial base contractors are vetted for cybersecurity maturity with the creation of the Cybersecurity Maturity Model Certification (CMMC). However, it may be a day late and a dollar short. The certification process, which includes 5 levels of cybersecurity maturity and is based on NIST SP800-171 and other cybersecurity standards and best practices, is estimated to take 5 years to roll out over its 300,000+ DIBS contractors. The current bottleneck in the adoption of the certification process is getting third-party auditors certified to audit applicants. An interim ruling was published by the DoD outlining a process for assessment until auditors are trained and ready to begin assessing organizations. The temporary assessment methodology will include three assessment levels: (1) Basic, (2) Medium, and (3) High. The basic assessment is a self-assessment with medium and high assessments being conducted by the DoD on a case-by-case basis until organizations can work with certified auditors. It has already been established that self-assessments are not sufficient in protecting sensitive data which resulted in the development of the CMMC in the first place. So, having self-assessments are part of the interim ruling seems rather counter-intuitive.
Making Cybersecurity a Priority Through Acquisition
Cyber threats to the supply chain have been on the rise as the trend towards Industry 4.0 continues to grow. Increased use of cloud services, artificial intelligence technology, and the growth of a remote workforce environment have all contributed to the heightened threat to the United States industrial supply chain. According to the 2018 Foreign Economic Espionage in Cyberspace report, cyberspace remains a preferred operational domain for a wide range of industrial espionage threat actors. These threat actors include adversarial nation-states, commercial enterprises operating under state influence, and sponsored activities conducted by proxy hacker groups. One contributing factor to the increase in threat is the vulnerability caused by lack of standardization in securing information systems across industries. As part of the National Counterintelligence Strategy of the United States 2020-2022, reducing threats to key U.S. supply chains remains a top priority. The National Counterintelligence and Security Center (NCSC) asserts elevating the role of supply chain security at the acquisition process will help to subvert exploitation of hardware, software, and services procured from foreign-owned or controlled companies. In other words, making decisions about procurement with cybersecurity maturity as a priority, rather than on simply focusing on the lowest bidder, may improve the cyber posture of the federal government.
Compliance Does Not Equal Security
Using the third-party audited CMMC as a model for procurement throughout the federal procurement process could be one way to promote the protection of CUI during the supply chain lifecycle. However, compliance with standards does not equal security. Solving cybersecurity issues is not a one-dimensional problem. Maturity modeling with auditing is a very good way to demonstrate processes, policies, and technology that are put in place to safeguard information systems. However, there is a human element to cybersecurity that needs to be addressed.
Organizations that handle sensitive information as part of a supply chain need to be able to demonstrate to their internal and external stakeholders the importance of following the policies and procedures set in place. Often security controls are circumvented by users because they are not convenient. This is a common vulnerability that is exploited by bad actors. Controls that are implemented to protect sensitive information need to be effective, but also user-friendly so that the users will stay within the guidelines prescribed by the organization.
Securing the nation’s supply chains across all industry is paramount to national security. The disruption of supply of goods and services could cripple the country. Digital dependency, the reliance on foreign suppliers, and lack of consistent cybersecurity standards across industries has created a growing chasm in the protection of intellectual property and trade secrets in both the public and private sectors. Programs such as the CMMC, when implemented properly, create a mechanism for measurable accountability in the protection of data throughout the supply chain. Improving the protection of sensitive information within the industrial supply chain will not only create more stability within U.S markets, but it will also help to further secure the nation’s critical infrastructure.
Author: Antoinette King, PSP
December 15, 2020