Cybersecurity Policy: Another Supply-Chain Juggling Act

Supply-chain executives have tough jobs, dealing with natural disasters, trade wars, spikes in demand—to absolutely, positively get it there overnight. Added to the mix will be new U.S. federal directives for supply-chain cybersecurity.

“From where I sit in D.C. this is truly one of the emerging issues,” Christopher C. Krebs, Under Secretary for the Department of Homeland Security’s (DHS’s) National Protection and Programs Directorate, said this summer.

So, as supply-chain cybersecurity threats grow, the White House, Congress and multiple federal agencies are forging government-industry working groups and accelerating supply-chain security bills, draft executive orders and regulatory proposals. All of which leaves supply-chain executives, their c-suites and boards juggling cyberthreats, new government priorities, and the practical reality that their supply chains were developed with security as an afterthought to other practical factors such as functionality, efficiency and cost.

DHS Summit: DC Brings Cybersecurity Show to NYC

This complexity was an undercurrent at a recent cybersecurity policy forum of U.S. government officials and corporate executives in New York City. DHS’s National Cybersecurity Summit featured public-private discussion panels and launched joint government-industry initiatives including an Information and Communications Technology (ICT) Supply Chain Risk Management Task Force.

Information and communications technologies underpin today’s global digital supply chains. “We’ve seen an explosion across the threat actor space in terms of compromising supply chains,” said Krebs, who moderated the summit.

Summit attendees were asked to work collaboratively with Washington in securing their supply chains against cyberthreats. The new Supply Chain Risk Management Task Force that was announced is part of an equally new National Risk Management Center. The center aims to streamline cybersecurity policy by breaking down silos among government agencies and industry sectors. The goal is to effectively identify, assess and prioritize strategic risks to national critical functions. “The task force is intended to focus on potential near- and long-term solutions to manage strategic risks through policy initiatives and opportunities for innovative public-private partnership,” DHS said.

A focus of the supply-chain task force will be third-party risk—especially where potentially adversarial governments may have close connections with suppliers of U.S. technology infrastructure. Third-party suppliers with remote maintenance access to equipment could pose particular risk, according to Robert E. Joyce, senior advisor to the director of the National Security Agency.

Incentives Could Accelerate Adoption

Responsible companies understand that it’s their duty to have a secure supply chain—for their own interests, for their customers and for national security implications. Companies such as Palo Alto Networks have gone as far as converting to 100% domestic manufacture. While domestic-based manufacturing does not in itself guarantee secure hardware, it offers several advantages from a security perspective, such as allowing the company to more easily take steps to ensure personnel, facility and product security.

The federal government could take a cue from this and other best practices as it determines how best to promote adoption of appropriate supply-chain measures, according to Coleman Mehta, Senior Director, U.S. Policy, at Palo Alto Networks. “We would work with the federal government as it engages in these forums to make sure the industry perspective is taken into account,” he said in an interview. “At the same time, if companies are being brought into this national security collective, it’s also incumbent on government to determine what the incentives might be to ensure that best practices are in place and risk is appropriately managed.”

Tax Break for Best-in-Class Practices?

DHS Summit panelists also raised a recurring regulatory theme—the carrot and the stick—to question whether Washington is too focused on prohibitions and not enough on incentives to mobilize companies around supply-chain best practices, GRC and good cybersecurity policy.

Panelist Mark D. McLaughlin, Palo Alto Networks Vice Chairman, suggested several incentive schemes. For example, the government could incentivize industry to use new technologies such as robotics and 3D printing. These technologies could make it less costly to re-shore or near-shore parts of their supply chain that were previously off-shored.

McLaughlin also suggested companies could be incentivized to withstand conditions that foreign governments require for access to their markets (e.g., source code reviews and in-country research and development centers). Tax breaks and federal procurement incentives for companies with best-in-class supply-chain practices would recognize that “we have to walk away from market opportunities,” McLaughlin said.

The discussion seemed to resonate with DHS’s Krebs, who reflected that in Washington, “I’m a little concerned that we’re focusing on the bad options … when maybe we should also be incentivizing those good options.”

Selected Directives Emerging From Inside the Beltway

The DHS Summit may have taken place in the city that never sleeps, but it’s Washington that has been burning the midnight oil. There’s a growing list of supply-chain cybersecurity measures. Among them:

And now, with the DHS Summit adjourned, the initiatives launched there will begin their work. “I wish I could tell you that we’ve rounded a corner,” DHS Secretary Kirstjen M. Nielsen said. “But last year was the worst-ever in terms of cyberattack volume. … I think we will continue to see them this year.”