March 27, 2019

On March 27, 2019, the Atlantic Council’s Cyber Statecraft Initiative, housed within the Scowcroft Center for Strategy and Security, hosted a public panel to discuss supply chain cybersecurity. The timely discussion, underwritten by Raytheon, followed on the heels of the March 25 disclosure that computer hardware company ASUS had unwittingly been delivering malicious software to ASUS computer owners via its automatic software update utility. While an estimated one million ASUS computer users were affected in the campaign that Symantec Corporation believes began as early as June 2018, other supply chain attacks, such as NotPetya in 2017, have been far more widespread and damaging, and will certainly grow more so in the future.

Government and industry have not been blind to this growing threat, and supply chain security is now getting its moment on Capitol Hill, such as in the “SECURE Technology Act” signed into law on December 21, 2018. This growing awareness prompted the Council’s Cyber Statecraft Initiative to convene subject matters experts Ms. Joyce Corell, Assistant Director of the Supply Chain and Cyber Directorate at the National Counterintelligence and Security Center within the Office of the Director of National Intelligence (ODNI); Mr. John Costello, Senior Adviser to the Director of the new Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS); and Mr. Jon Check, Senior Director of Cyber Protection Solutions, Cybersecurity and Special Missions at Raytheon Intelligence, Information, and Services to discuss the topic and where public and private supply chain security can go from here. The Scowcroft Center’s own Cyber Safety Innovation Fellow Mr. Beau Woods moderated the discussion.

While approaching supply chain security from different perspectives, the panelists agreed on the foundational principle that supply chains themselves have not fundamentally changed in the 21st century. Every organization faces costs, rewards and risks when it consumes goods or services that it does not produce itself. What has changed is the risks inherent to supply chains. As cyber defenses improve against phishing campaigns and other attack vectors, malicious actors are increasingly turning to supply chain attacks. Instead of trying to scale the walls, attackers are sneaking through the gates hidden within benign hardware or software components. The panelists concurred that, in response to this changing risk, the government and private sector would have to adjust their costs and rewards accordingly. Methods for adjusting these costs and rewards would include clear communication from organizations to vendors in their supply chain—particularly, clear delineation of acceptable and unacceptable levels of risk in different business or government functions—policy levers such as regulation and possible tax write-off or low-interest loan opportunities; and favorable insurance terms for low-risk vendors. The goal is the right combination of carrots and sticks.

All the panelists acknowledged the difficulties ahead for the US government and industry in the arena of securing global supply chains. Not only does the US government need to secure its defense industrial base, but it must also secure its broader national industrial base of all sectors and entities that underpin American national power. According to Mr. Costello, this includes not just ensuring these entities can resist cyberattacks and are resilient enough for swift recovery, but also ensuring American industry has reliable access to uncompromised supply chains in the event of a crisis. Mr. Check explained that private industry must grow to expect supply chain compromises and build safety mechanisms into its processes that mitigate compromises as they occur. In addition, procurement managers and C-level executives must be willing to take the difficult steps of reopening supply contracts whenever there is evidence of irresponsible practices on the part of their vendors to communicate that supply chain integrity is of utmost importance. Mr. Check stated that attempting to “fix of the sins of the supply chain’s past just doesn’t work after the fact. People have to be part of the solution up front.”

Ms. Corell summed up the problem and solution well; supply chain security is bureaucratically difficult, but we can begin to make progress once everyone sees it as their problem to solve. She also presented a reason for measured optimism: “I think when we see non-government organizations like the insurance industry begin to think about how to monetize security, that’s when you’ll begin to see a transformation and you will see organizations make choices to strengthen security.” The panelists concurred that understanding third-party risk is difficult, and no organization in the government or private sector has the same level of experience in this area as they do with financial or physical security risk. As government and industry learn how to monetize and incentivize supply chain security and develop a set of case studies to inform consumers of how supply chain risk effects them, consumers and citizens may begin to see progress.