​

IT’S COMMON knowledge that computer systems are vulnerable to a multitude of attacks, but what may be less well known is that some of the attacks may occur even before those systems are purchased or assembled. Worse, preventing such problems may be extremely difficult, explains Marianne Swanson, author of Piloting Supply Chain Risk Management Practices for Federal Information Systems, a draft report from the National Institute for Standards and Technology (NIST).

“Bad things can get inserted early into the system,” says Swanson. But the tricky part is that the malware or virus may not be inserted into every piece on the production line; it may only be every 16th product. “So you could take a whole batch of these components and you could test [every second or third unit], and you might not hit the bad one,” she says. So it’s hard to know that you are free of any problem.

Moreover, while bad code can get inserted, it’s not just about malware, it may also be about substandard parts or used parts inserted without the buyer’s knowledge.

Increased globalization is putting computer systems even more at risk. “Accelerating trends in multinational mergers and acquisitions of information system suppliers and integrators is making it almost impossible to [rely on] corporate ownership and control alone as the basis for assuring supply chain security,” states the report. Swanson stresses the importance of holding vendors accountable for their own suppliers.

Hart Rossman, chief technology officer for cybersecurity solutions at SAIC, says the biggest mistake that companies are making is waiting until something bad happens, rather than recognizing the opportunity earlier on to prevent the problem. Rossman says many companies are also unfamiliar with the various parts of the supply chain, so they have little control.

Another mistake companies make, says Rossman, is being ill-equipped to deal with a problem when it occurs. Companies are often geared towards “responding to software vulnerability, like viruses or malware or phishing or spam attacks, so they’re not necessarily equipped to deal with hardware vulnerabilities or hardware compromise,” says Rossman.

He adds that information security is not generally as connected with other departments in the organization, such as legal and acquisition, with whom they’ll have to interact for incident response. “Those incident response teams don’t, in most organizations today, have those relationships, have those tools and capabilities,” Rossman notes, though he says he is seeing some progress being made in that direction.

The report was developed for the Comprehensive National Cybersecurity Initiative 11, which aims to provide a multipronged approach to cybersecurity. Although the NIST recommendations were initially designed for critical federal computer systems, all of the recommendations can also apply to the private sector.

NIST recommends that information security, acquisition, legal, and other division stakeholders participate in decision-making from the conception phase onward. They should work together to provide oversight of suppliers and perform quality assurance. Swanson advises paying particular attention to procurement language so that vendors know what the company is looking for and to work with vendors that have good risk mitigation plans.

Rossman has helped develop a cyber supply-chain assurance model, which identifies vulnerabilities and interdependencies at each node of the international production chain, and he recommends a shared-risk approach with governance and accountability at different levels of the supply chain. This takes a physical-supply-chain approach and applies it to cybersecurity; it was meant in part to help educate stakeholders about the importance of the various joint responsibilities along the supply chain.