A Call To Action For Supply Chain Cybersecurity
Pre-Event Webinar for the 12th Annual Billington CyberSecurity Summit, October 6-8, 2021 (Virtual)
A recap of a Billington Webinar Speaker Series, Sponsored by Oliver Wyman
As more devices become interconnected, digital supply chain risk management becomes even more critically important. On the recent Oliver Wyman digital supply chain webinar we heard different perspectives from what digital supply chain risk is, how the Executive Order affects it, and what the future of it looks like. The panelists were Dr. Greg Rattray, Partner and Founder, Next Peak LLC, Greg Touhill, Director, CERT Division, Software Engineering Institute, and Bob Kolasky Director of National Risk Management Center, U.S. Department of Homeland Security. Paul Mee, Cyber Risk Platform Lead, Oliver Wyman Forum, moderated this discussion.
The discussion started with what might seem like a simple question, but has an increasingly complex answer as technology becomes more interdependent: what is digital supply chain risk?
Greg Rattray argues for an expansive understanding of what the digital supply chain is: “The foundation that you conduct your lives and businesses on is built on this supply chain. You have to take an expansive view of this within an organization and recognize that you can think about it in a classic way – the vendors that provide you products and services – but we also let our employees use their own devices, we develop applications inside of organizations, but even that’s becoming more and more rare. And we’re largely dependent on applications that are based out in the cloud and our software services, which are constantly updating themselves, so you don’t buy it once, you buy exposure to digital service as an ongoing matter. Your whole functionalities in terms of human resources, or even the servicing of your own IT problems in terms of service desks, are digital services that need to be managed as risk. Then of course the journey by most organizations now into the cloud, and dependency on that for applications they use to conduct business as well as even compute services [are part of the digital supply chain].”
The conversation moved into the May 2021 Executive Order and how this implicates the cyber landscape.
Bob Kolasky explains: “Part of [the EO] is the President calling for the executive branch to advance our state of cybersecurity and catch up with what is available, what are right now recognized as the best ways to secure critical information and protect essential functions. Why it’s so exciting for a conversation like this, the fact that we do so much business, we have so many suppliers, almost every key big company in this space who delivers ICT [information and communication technology] does some element of business with the federal government. And so by asking to have our own house in order, advancing to things that’s going to encourage them to do the same thing and require companies who want to do business with the federal government to do the same. So we’re going to advance the security of ICT systems and the transparency and promotion of the security of ICT systems because as suppliers to the federal government they’re going to have to meet requirements to do business with us. And then we expect that will have downstream effects on the overall ICT market.”
Greg Touhill believes that there is a lot of promise with the Executive Order, but there will be a lot of work ahead to go from the policy to the implementation. “There’s going to have to be a lot of evangelization by government personnel to put some pressing confidence behind some of these initiatives, because they are not easy, nor are they going to be inexpensive. Case in point, the software bill of materials: how far back do you want to go? Being able to trace back provenance in a software bill of materials, how far back you want to go is a key issue, because it’s going to come with a cost. On the software licensing, there’s no meat on that bone yet. And then finally, about the cyber safety review board. There’s a lot of good examples on how that has been done in the past, for example when the Air Force personnel system crashed… There are some things that we can do to accelerate and use lessons learned to buy down our risk of establishing these new programs, and it’s just a question of getting that kind of information and having different communities of interest talk with each other. So a lot of promise, but there’s still a lot of work to do.”
With regard to the consumer software labeling program, Paul Mee questioned if this would cause buyers to become less diligent in selecting suppliers.
Greg Rattray thinks that this is a potential risk for large enterprises who are used to selecting suppliers carefully, but for smaller companies without the resources to do so, labeling helps them achieve some fundamental security in selecting suppliers. He says, “It’s probably more an issue of identifying what you shouldn’t buy than an issue of, if you get the label, it’s inherently safe. So I think there is value to some centralized functionality, whether it’s homed in the private sector or the public sector, doing good grading and identifying things that are probably dangerous to buy. I think it’s fair to say that in large critical situations, the operators of those systems better do their own diligence… and you need to understand how you interact with the supplier. So there are contexts where you can’t outsource the due diligence around the supply chain.”
In light of the differences between big and small companies, Bob Kolasky recognizes the need for buyers to exert some influence over their suppliers to be able to evaluate the security of their products. He says, “It is easy if you are big. If you have leverage over your suppliers as an organization to put that in place via contracts and competition and putting in the time to [test]. But the reality is a lot of times, you don’t have that kind of leverage over suppliers, you are just a purchaser of something, and they’re going to treat you as such… Relying on something like the federal enterprise, which is a big purchaser, is going to help benefit that because the average company is not going to be able to deploy that much leverage over the stuff they need for critical organization.”
Paul Mee noted that achieving a secure supply base will require a talented workforce. But do we have this capability?
Greg Touhill thinks so. “We have plenty of talent and we have plenty of workforce”, he said, “I don’t think we’re well aligned as far as marrying that talent with the needs and paying them at a competitive level, particularly in government and government-affiliated activities. As we take a look at the agendas that are being proposed, they’re all very ambitious, and they don’t come cheap. So if in fact we want to execute them well, we’re going to have to make sure that we target our education and training programs to make sure that we have the pipeline of the right people in the right place at the right time with the right skills.”
We’d like to thank Paul Mee for moderating and Oliver Wyman for sponsoring this Webinar. We’d also like to thank Greg Touhill, Greg Rattray, and Bob Kolasky.
To continue this very important conversation, we have 2 panels addressing supply chain specifically at The 12th Annual Billington CyberSecurity Summit, October 6-8. Information & Registration.