Alan W. Dowd is a Senior Fellow with the American Security Council Foundation, where he writes on the full range of topics relating to national defense, foreign policy and international security. Dowd’s commentaries and essays have appeared in Policy Review, Parameters, Military Officer, The American Legion Magazine, The Journal of Diplomacy and International Relations, The Claremont Review of Books, World Politics Review, The Wall Street Journal Europe, The Jerusalem Post, The Financial Times Deutschland, The Washington Times, The Baltimore Sun, The Washington Examiner, The Detroit News, The Sacramento Bee, The Vancouver Sun, The National Post, The Landing Zone, Current, The World & I, The American Enterprise, Fraser Forum, American Outlook, The American and the online editions of Weekly Standard, National Review and American Interest. Beyond his work in opinion journalism, Dowd has served as an adjunct professor and university lecturer; congressional aide; and administrator, researcher and writer at leading think tanks, including the Hudson Institute, Sagamore Institute and Fraser Institute. An award-winning writer, Dowd has been interviewed by Fox News Channel, Cox News Service, The Washington Times, The National Post, the Australian Broadcasting Corporation and numerous radio programs across North America. In addition, his work has been quoted by and/or reprinted in The Guardian, CBS News, BBC News and the Council on Foreign Relations. Dowd holds degrees from Butler University and Indiana University. Follow him at twitter.com/alanwdowd.

ASCF News

Scott Tilley is a Senior Fellow at the American Security Council Foundation, where he writes the “Technical Power” column, focusing on the societal and national security implications of advanced technology in cybersecurity, space, and foreign relations.

He is an emeritus professor at the Florida Institute of Technology. Previously, he was with the University of California, Riverside, Carnegie Mellon University’s Software Engineering Institute, and IBM. His research and teaching were in the areas of computer science, software & systems engineering, educational technology, the design of communication, and business information systems.

He is president and founder of the Center for Technology & Society, president and co-founder of Big Data Florida, past president of INCOSE Space Coast, and a Space Coast Writers’ Guild Fellow.

He has authored over 150 academic papers and has published 28 books (technical and non-technical), most recently Systems Analysis & Design (Cengage, 2020), SPACE (Anthology Alliance, 2019), and Technical Justice (CTS Press, 2019). He wrote the “Technology Today” column for FLORIDA TODAY from 2010 to 2018.

He is a popular public speaker, having delivered numerous keynote presentations and “Tech Talks” for a general audience. Recent examples include the role of big data in the space program, a four-part series on machine learning, and a four-part series on fake news.

He holds a Ph.D. in computer science from the University of Victoria (1995).

Contact him at stilley@cts.today.

How to secure the U.S. government’s technology supply chain

Tuesday, March 3, 2020

Categories: ASCF News Bipartisianship Cyber Security

Comments: 0

Anthony Pelli, BSI

Fears of a full-on cyberattack, or more insidious scattered technical invasions, have escalated since the 2016 U.S. presidential election was found to be influenced by foreign hacking. More recently, unrest in the Middle East following U.S. threats of war against Iran, as well as the 2020 elections have fueled concerns about vulnerability in the American government’s technical supply chain.

At the same time the U.S. government is working to prevent foreign telecommunications firms like China-based Huawei from building 5G networks in the United States, as well as for allies’ networks that they could breach, the country could face a more menacing risk from its own IT supply chain exposure.

Comprehensive policies lacking

The U.S.-China Economic and Security Review Commission in a 2018 report on this threat declared that U.S. government laws and policies do not currently address supply chain risk management comprehensively. The commission, created by Congress to report on the national security implications of the U.S.-China trade relationship, stated that Chinese companies are used to further state goals and target U.S. federal networks and those of its contractors.

“The U.S. government needs a national strategy for supply chain risk management (SCRM) of commercial supply chain vulnerabilities in U.S. federal information and communications technology (ICT), including procurement linked to the People’s Republic of China,” the report warned.

Future risks to the supply chain will involve software, cloud-based infrastructures and hyper-converged products, rather than simply hardware, the report said. The business alliances, investment sources and joint research of vendors, suppliers or manufacturers are also sources of risk that are not always included in traditional supply chain risk assessment.

Similar worries plague large private-sector organizations, and for good reason: Securing a complex technology supply chain can’t begin until it’s understood where the dangers lie, and how to implement a course of action that builds resiliency in that supply chain.

The U.S. government’s chief information security officer, Grant Schneider, in December 2019 told a technology security summit that there are still few answers on how to secure the government’s technology supply chain. “Could [a company] come under the influence of a foreign adversary in any way shape or form? Is there quality where we need it to be? … How do we ensure their supply chain and the parts that they’re taking in and putting inside their box are actually the parts they’re expecting?”

Who should be the auditor?

The federal government isn’t certain whether it should conduct its own assessments of which technology contractors in its chain are meeting requirements, or whether that assessment function should be handled by a third party, Schneider admitted. The vetting responsibility gains urgency when you realize many of the U.S. government’s technology suppliers are foreign entities that could be susceptible to interference by adversarial nations or rogue terrorist actors.

In light of the unease of the U.S. government’s top cybersecurity boss over weaknesses in the nation’s technology supply chain, here are several recommendation on how to keep you supply chain secure.

First, agree on a consistent standard. Standards like ISO 28000, which outline specific requirements for a security management system, including aspects critical to security assurance of the supply chain, or the U.S. National Institute of Standards and Technology (NIST) framework, which provides voluntary guidance, based on existing standards, guidelines and practices for organizations to better manage and reduce cybersecurity risk are both excellent starting points. Regardless of which standard is chosen, a clear set of requirements for the government or business to follow can help ensure technology supply chains are secure.

Build supply chain security into contracting requirements. Make it mandatory for bidding that companies abide by particular supply chain security requirements.

Include supply chain security requirements in regular audits of vendors and contractors, benchmarking them against the standard, and include these measurements in evaluations of overall vendor performance.

Be active in building databases of supply chain security-related incidents and suppliers that have been identified as higher-risk. Intelligence-sharing among government agencies, between government and the private sector and within a company’s industry would help in this area as well, to ensure that organizations are more prepared for emerging perils and can avoid common pitfalls once they realize they have them with their suppliers.

Continue to stress the importance of corporate due diligence. This is already a priority from an anti-corruption perspective, but it should be extended as a general supply chain measure. Suppliers should be vetted for their possible connections to foreign governments (or “politically exposed persons,” in the parlance of due diligence) to determine how much influence those foreign governments may have over them.

To address sensitive, mission-critical challenges like the U.S. government faces today with its technology pipeline, organizations need to understand where their vulnerabilities lie and take actions that build resiliency into the supply chain. There are always numerous risks in every supply chain. Comprehending those risks, where they exist, and their predictability helps governments — and all organizations — mitigate the delays, costs and dangers that can result.

Tony is a supply chain risk consultant at BSI Supply Chain Services and Solutions with a range of specialized skill sets, including experience in conducting end-to-end, enterprise-level supply chain risk assessments for clients and their supply chain partners. Tony has led assessments where he models, forecasts and quantifies the risk of cargo theft, counterfeiting and other supply chain risks, and has assessed over $50 billion in trade in the electronics, pharmaceutical and consumer products industries over the past three years.

 

Photo: In light of the unease of the U.S. government’s top cybersecurity boss over weaknesses in the nation’s technology supply chain, here are several recommendation. (metamorworks/Getty Images)

Comments RSS feed for comments on this page

There are no comments yet. Be the first to add a comment by using the form below.

Search