Public-Private Partnership Addresses Supply Chain Security
Print Issue: May 2019
The U.S. Department of Homeland Security (DHS) issued a binding operational directive in September 2017 to remove all Kaspersky Lab information security products, solutions, and services from all federal government departments and agencies. It was the first time DHS issued an order to remove all of one manufacturer’s software from government systems.
“This action is based on the information security risks presented by the use of Kaspersky products on federal information systems,” DHS said in a statement on the directive. “Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems.”
DHS also issued the order because it was concerned about ties Kaspersky, a Russian company, might have to Russian intelligence agencies.
“The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security,” DHS explained.
The department gave federal agencies and departments 30 days to identify all Kaspersky products on their systems. The agencies had to create plans to remove and discontinue use of those products within 60 days, and discontinue and remove those products within 90 days of the notice.
Following the directive, the U.S. National Defense Authorization Act was enacted in December 2017 to outlaw the use of Kaspersky products within federal agencies and departments.
Kaspersky denied allegations of ties to the Russian intelligence community and also challenged the U.S. government’s ban of its product in U.S. federal court. The D.C. Circuit Court dismissed Kaspersky’s lawsuit, but CEO Eugene Kaspersky said in a statement that the company would remain committed to “providing the best cybersecurity solutions for our customers globally and saving the world from cyberthreats.”
After the Kaspersky directive, other companies’ products have come under scrutiny for posing possible security threats to governments and private companies alike. The U.S. government, Japan, and others also put restrictions around the use of Huawei and ZTE products—both manufactured by Chinese companies—citing security concerns.
The moves also renewed focus on the need to address the supply chain security of information technology products. A lack of such security here could create major risks for end users who install those products in their systems.
“Traditionally, most organizations have been focused on the hardware and physical aspects of the supply chain—does it have counterfeit parts, was it compromised in manufacturing?” says Tim LeMaster, director of systems engineering at Lookout, a cybersecurity provider.
But there is growing recognition that software also poses supply chain risks, and LeMaster says many of his clients are increasingly concerned about addressing these risks to their systems.
Further concerns about supply chain security have been raised due to the creation of 5G—the fifth generation of wireless networking that will be used to connect next-generation technology—that China has invested heavily in developing.
Speaking at the RSA Conference in March 2019, Mieke Eoyang, vice president of think tank Third Way’s National Security Program, said that the United States has not invested and planned for the long term to develop its own 5G.
“If the network owner is not a country that shares our values, what happens to the communications that flow across it?” she asked.
In 2018, the U.S. Government Accountability Office (GAO) assessed the supply chains—“organizations, people, activities, and resources that create and move a product from suppliers to end users”—that U.S. federal agencies use to procure IT systems.
Threats to these supply chains could include installing intentionally harmful or counterfeit hardware or software; failing to produce or distribute a critical product; relying on malicious or unqualified service providers to perform technical service; or installing hardware or software containing or harboring unintentional vulnerabilities, like defective coding.
“These threats can have a range of impacts, including allowing adversaries to take control of systems or decreasing the availability of materials needed to develop systems,” the GAO explained. “These threats can be introduced by exploiting vulnerabilities that could exist at multiple points in the supply chain.”
This is also a major threat area for the United States because its systems rely heavily on IT equipment that is manufactured in foreign nations, often using multiple supply chains.
“As a result, agencies may have little visibility into, understanding of, or control over how the technology that they acquire is developed, integrated, and deployed, as well as the processes, procedures, and practices used to ensure the integrity, security, resilience, and quality of the products and services,” according to the GAO’s analysis.
This poses a major risk for these systems to be manipulated or damaged by foreign nations that are known cyberthreats, including China, Iran, North Korea, and Russia.
“Threats and vulnerabilities created by these cyberthreat nations, vendors, or suppliers closely linked to cyberthreat nations, and other malicious actors can be sophisticated and difficult to detect and, thus, pose a significant risk to organizations and federal agencies,” the GAO explained.
For instance, a nation-state could infiltrate the U.S. government supply chain and install software on a device. The nation-state could then use that access to take control of the network the device was connected to, disrupt operations, or launch attacks against other systems.
The four U.S. national security-related departments—Defense, Energy, Homeland Security, and Justice—all acknowledged risks presented by supply chain vulnerabilities and adopted strategies to address the threat. However, the GAO said that more efforts were needed to address supply chain security as a whole.
Shortly after the GAO published its report, DHS announced the creation of its National Risk Management Center.
“It will employ a more strategic approach to risk management born out of the re-emergence of nation-state threats, our hyperconnected environment, and our survival and its need to effectively and continually collaborate with the private sector,” said former DHS Secretary Kirstjen Nielsen in a speech at the department’s Cybersecurity Summit in July 2018. “…the center will bring together government experts with willing industry partners so that they can influence how we support them. Our goal is to simplify the process—to provide a single point of access to the full range of government activities to defend against cyberthreats.”
One of the center’s first major efforts would be bringing together government and industry to address supply chain risk. In November 2018, the center launched the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force to develop consensus recommendations that identify and manage risk to the global ICT supply chain.
“This is a moment when we need increased effort countering strategic risks that we see from—particularly—foreign adversaries in the cybersecurity space, including supply chain,” says Bob Kolasky, director of the National Risk Management Center and task force cochair. “There is an urgency of government and industry coming together to take this threat seriously and come up with solutions to address the threat and reduce risk.”
The task force consists of 60 representatives from the private sector and government, including members of the intelligence community. Kolasky cochairs the task force with John Miller, vice president of policy and law at the Information Technology Industry Council (ITI), and Robert Mayer, senior vice president for cybersecurity at the USTelecom Association.
Mayer, who also chairs the DHS Communications Sector Coordinating Council, says that the range of representatives on the task force means there will be broad conversation to generate real progress on supply chain security.
“Given the recognition now that the supply chain represents a major vector for attacks, especially when you consider the nation-states behind them, there’s a great deal of urgency to have a coordinated strategy and plan to mitigate the risk,” he adds.
The task force, which has a two-year charter, held an initial meeting after it was created in November 2018. To get the ball rolling, the task force created an inventory of both government and private sector initiatives to address supply chain security to prevent duplication of previous efforts.
The partial U.S. government shutdown in December and January delayed the database initiative, but Mayer says the task force was on track to have both segments of the inventory completed in March 2019.
The task force will then use this inventory to inform its future work, which it divided into four initial workstreams that it announced in the spring.
One workstream is devoted to developing a common framework for bi-directional sharing of supply chain risk information between government and industry. DHS already has a variety of information sharing channels in place to communicate between government and industry, so the task force intends to identify any gaps in sharing about supply chain vulnerabilities.
“Private entities are constantly evaluating whether there’s risk in things they put in their supply chains or understanding their own risk, and as they’re making their own risks, we want to understand why those decisions are being made so that we can help push that message out that other companies might want to be making similar decisions,” Kolasky adds.
Another workstream focuses on identifying processes and criteria for threat-based evaluation of ICT supplies, products, and services. This workstream will provide organizations with an understanding of what the criteria are and what the dimensions of supply chain oversight might look like, Mayer says.
Threat criteria are often based on the party that is assessing the technology, which will make this workstream’s assignment slightly daunting.
“Somebody in an acquisition role may have one set of parameters they’re interested in from a supply chain perspective; if it’s the end user, they might have another,” Mayer says. “Views change.”
The information the second workstream identifies on criteria will likely help inform the third workstream: identifying market segments and evaluating criteria, establishing qualified bidder and manufacturer lists. Ideally, this workstream will inform companies about what standards they will need to meet to qualify as a white list bidder.
The fourth workstream is focused on producing policy recommendations to incentivize purchasing ICT from original manufacturers or authorized sellers. The consensus is that “if you purchase equipment from the original manufacturer or an authorized reseller, instead of buying it” from an unauthorized seller, “you have a better likelihood that the security protocols have been adopted, implemented, and verified,” Mayer says.
To get companies and agencies to adopt this purchasing pattern, the workstream will look at which incentives will help users make decisions “based on good cyber supply chain risk management,” he adds.
The task force met several times this spring and plans to release information to the public about its progress beginning this summer, Mayer says. It will also continue looking at the scope of its work and addressing the workstreams’ assignments as the task force evolves.
“I think what we’ll see is an ongoing process of evolving of the scope, adding new efforts into the equation,” he adds. “There is a desire here to produce products that are actionable and that can actually move the needle.”
In addition to the workstreams, the task force will also work with the Supply Chain Security Council that was created by the 2018 U.S. Federal Acquisition Act.
The council focuses on the federal government, tasked with mitigating security risks that could arise from information technology, telecommunications services, and other services the federal government buys.
The council is responsible for creating criteria to assess threats and vulnerabilities to the supply chain, issuing guidance on risks to the supply chain, as well as publishing guidance on how to address those risks.
The council must obtain input from the private sector on supply chain risk, and Kolasky says that the task force will be the primary venue for that dialogue.
Overall, Mayer says it’s important that these conversations are happening and that the private sector—through the council—is included in the process.
“When the Department of Homeland Security comes to industry and says that they want to partner with industry on making improvements on a critical national security consideration, that’s music to our ears,” Mayer adds. “That’s what we want to see in the public-private partnership collaboration with government.”
And this partnership is critical for addressing supply chain security and ensuring that the United States has a path forward to make the acquisitions process for private and public entities. In the RSA appearance with Eoyang, Managing Director of the Cyber Readiness Institute Kiersten Todt said it was vital for the United States to address this issue.
“We don’t want to find ourselves in the position where we’re in the environment that China has defined for us,” she said.
Megan Gates is senior editor at Security Management. Contact her at [email protected], Follow her on Twitter: @mgngates.
What is 5G?
The fifth generation of wireless networking technology, dubbed 5G, is predicted to transform the way users work and live because of its increased connectivity benefits.
“One way to quantify the difference is in terms of download speeds,” according to a Verizon fact sheet. “5G will deliver speeds roughly 20 times faster than what is possible with 4G.”
This enhanced data transfer speed will allow more technologies to connect to each other, including vehicles, the Industrial Internet of Things, and Smart City networks. The first 5G networks, however, will not be available nationwide in the United States until 2020, according to WIRED’s “Guide to 5G.” And only if there is a major investment in the technology between now and then.
“To reach the goal of nationwide 5G by 2020, the government must open more wireless spectrum to carriers; the carriers must rapidly expand their infrastructure; and hardware makers need to create a new generation of devices ready to ride the 5G waves,” WIRED explained.
Who’s On the Task Force?
The U.S. Department of Homeland Security’s National Risk Management Center created the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force in November 2018.
The task force includes representatives from across government and industry:
- Charter Communications
- Cisco Systems
- Cybersecurity Coalition
- Federal Communications Commission
- General Dynamics Information Technology
- General Services Administration
- Information Technology Industry Council
- Interos Solutions
- National Security Agency
- National Association of Broadcasters
- Office of the Comptroller of the Currency
- Palo Alto Networks
- U.S. Department of Commerce
- U.S. Department of Defense
- U.S. Department of Energy
- U.S. Department of Homeland Security, CISA
- U.S. Department of Homeland Security, Office of the Chief Procurement Officer
- U.S. Department of Justice
- U.S. Department of the Treasury
- U.S. Nuclear Regulatory Commission
- U.S. Office of the Director of National Intelligence
- U.S. Social Security Administration
- Verizon Wireless