CIOs face an array of challenges in the fast-moving cybersecurity landscape. One area of increasing government concern is the supply chain, broadly considered. From software lifecycle management to fears of Chinese exploitation of manufacturing vulnerabilities, this will be a major challenge for the private sector. CIOs should have a robust understanding of the supply chain for products and service they sell and rely on, and be included in contingency planning for disruptions in this rapidly-shifting environment.
Supply Chain is an Attack Vector that Worries Regulators and National Security Experts
Over the last several years, the private sector has made strides to improve cyber resilience. But as companies across the economy have improved at protecting their own systems, the threat has evolved. Now, threat actors—especially nation states—have targeted the weak link in a supply chain, opportunistically stealing intellectual property and introducing rogue functionality.
At times, supply chain risks relate directly to national security concerns, and over the last year, the United States has taken dramatic steps to counter this threat. In the last year, the Department of Homeland Security banned products from the Russian anti-virus maker Kaspersky Lab and the Chinese telecom firms Huawei and ZTE from federal networks. In 2018, the U.S. Commerce Department banned U.S. companies from doing business with ZTE for several months, only lifting the ban when ZTE agreed to a $1 billion fine and made commitments to comply with U.S. laws. Other than high-level assertions about national security, DHS has not provided details on the specific threats posed by these companies’ products.
These actions have impacts far beyond the companies targeted. U.S. companies have to examine their supply chain to evaluate whether they might be doing business or relying on services and products from a company that might be the next ZTE, Huawei, or Kaspersky. The government is tight-lipped about the intelligence it generates about these threats, leaving the private sector with uncertainty about which multi-national partners may come to be viewed as dangerous.
CIOs Need to Tackle Lifecycle Management and Patching
Supply chains are not just vulnerable to attacks from nation states. Lifecycle management and timely patching are at the forefront of emerging security concerns for enterprises and end users. The problem here is not brilliant hackers conjuring zero-day exploits, but rather the speed with which companies can implement fixes for known vulnerabilities. Equifax’s data breach last summer, for example, was in part due to a failure to fix an Apache Struts vulnerability that was known and had a patch available.
Lifecycle management is only easy for people who’ve never done it. For complex systems, even the basic step of identifying all of the software and hardware on a network can be a tremendous undertaking. And responsible patch implementation requires significant logistical work, including testing in virtual environments, coordinating server down time, often with third-parties, and validating remediations.
The challenges increase for patching applications and devices that are in the hands of users. End users may not accept patches or update their devices, and some devices are not capable of accepting over the air updates.
The federal government has several efforts underway to encourage—or require—the private sector to take more action to identify, share, and implement known vulnerabilities. The National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST), both within the Department of Commerce, have looked at these issues. NTIA led a multi stakeholder effort to look at best practices and concerns about updating and patching for the Internet of Things. NIST has a variety of IT security guides that can help CIOs evaluate their environments.
Regulators are concerned and are taking action. For example, the FDA will publish new guidance for connected medical devices that includes a “cybersecurity bill of materials” that lists commercial and off-the-shelf software and hardware components of a device that could be susceptible to vulnerabilities.
Whether mandated by the federal government or not, CIOs will face mounting pressure to be on top of their supply chains and to understand risks and critical dependencies. We urge CIOs to work with internal resources to develop third party risk management programs and monitor key suppliers’ security posture. It will be an additional challenge for CIOs to prioritize this deluge of information and turn it into actionable intelligence in a timely fashion. CIOs should prepare to evaluate and handle vulnerabilities throughout the supply chain, including on products they buy and on their customers’ systems. CIOs should consider their organization’s role in coordinated vulnerability disclosure, particularly in instances where they encounter something that affects other organizations. Resources are available for companies to develop and manage vulnerability disclosure challenges, from ISO, NTIA and others. These programs can be complex and need to be undertaken with care.
Consider Coordinating with the Government
CIOs will need to assess whether to coordinate with the federal government about a known or suspected vulnerability. The federal government, and DHS in particular, have made it clear that they want to hear from the private sector about any threat intelligence. Members of Congress have criticized companies for failing to include the government in discussions of vulnerabilities. In some instances, the FBI or DHS may be able to assist by validating concerns about entities in the supply chain, or providing information about malware or other indicators. But the private sector faces risks when coordinating with the federal government, especially that the information will become public, causing premature alarm or being misused by regulators and private litigants. CIOs should work through appropriate channels before disclosing to the government and inadvertently drawing scrutiny to a security issue that is still in flux.
With all of these moving parts, CIOs should ask themselves:
• Are you working well with your senior management and legal teams? Do you view their input and opinions as helpful? Are you getting the support you need and want?
• Have you considered a vulnerability disclosure program or other handling protocol? Do you know how you would respond if a key supplier were compromised or if you found a problem in your system or products?
• Do you know your role in a cyber incident? How about the team that supports you?
• Does your organization have relationships with law enforcement and government agencies that may be able to assist or validate concerns?
• Have you or others in the company made a conscious decision about whether and how to engage in information sharing and participation in ISACs/ISAOs? Have you made a conscious decision about whether and how to engage with parts of the government that may want to receive and share information, such as Automated Indicator Sharing at DHS?
Companies are being pushed to understand critical dependencies and opportunities for exploitation as the government is increasingly concerned about the security of global supply chain. As pressures mount on the private sector companies, CIOs should be a key part of the risk management team. They should be actively engaged in their organizations’ operations, purchasing strategy, and incident response.