Comment: Securing the Supply Chain
Supply chains have existed as long as we’ve had commerce. The rise of the Internet started a phase of rapid evolution, often making supply networks shallower but wider, with increased specialization and more participants in global exchange.
Many of these changes improved efficiency, agility, and for those skilled at adapting, offered new ways to outpace competitors.
However, looked at from a security perspective, the modern network fabric is also a serious cause for concern.
What is the issue? It’s about networks of interdependence. We extract major economic benefits from modern supply chains, because each organization can focus on just its core mission or specialty. This narrowing of focus is very effective, allowing each organization to be the best at whatever it does ― making widgets, transporting them, or adding value by assembling parts made by other specialists. But this same effect ― focus on just one aspect of a system ― means the system as a whole becomes fragile. The person responsible for an aircraft carrier can do an amazing job protecting the vessel and the dockyard, but the ship is still composed out of uncountable parts made outside, under the control of other organizations. So, if the attacker can’t easily compromise the final ship in the dockyard, they focus up the chain, compromising components that are then added to the ship as part of integrating the system. This analogy plays out for non-military applications too. Any large system built out of components is only as strong as the security of the weakest component supplier.
This is why it’s not enough to just allow suppliers to compete on price or customer satisfaction. Security costs money, so if we just procure everything from the lowest bidder, we will get the (lack of) security we’re paying for. Security is like quality ― you can’t just assume because a supplier delivered a good outcome today that they will do so tomorrow. The supply chain combatted the challenge of repeatable quality through standards and audits ― organizations establish baselines of what it takes to make a reliable product, and then build the supply chain around those who can meet the standard. The time has come for comparable efforts around cyber security and digital resilience across the supply chain.
Unfortunately, while the approach to quality is a good guide to what is needed, the details in cybersecurity are quite a bit different. When an organization specializes in making a thing, or providing a service, they know all about that thing or service, and what constitutes high or low quality. In effect, each player in the supply chain is the expert when it comes to how to achieve quality. Their customers may know more about what specs or quality levels are needed, but the supplier knows the details of how to meet the bar, where to optimize, and what works. Security is not like that ― security problems are abstract, complex, and often divorced from the details of the core mission of the organization. Malware, and defense against malware, is not core competence for any typical organization (except the few companies whose sole focus is making counter-measures). Social engineering attacks exploit common human psychology problems, and are not unique to any one company. This is why it’s hard for specialized, optimized, efficient companies occupying a niche in a supply chain to also achieve high levels of security ― it’s not their core competence.
So how can this be addressed? The supply chain needs to be resilient against cyber attacks, without all of the individual companies needing to be world-class experts on the evolving threat landscape. That’s just not practical. Instead, we need to focus on measurable standards, and automation to validate compliance. Publishing more security advice hasn’t worked out well for the last 20 years and there are far too many guidebooks on what it takes to be secure. The core challenge is not that we’ve got no idea how to make secure systems. It’s that doing even the basics, consistently and at scale, is extremely hard. This challenge is only amplified when spread across a modern, complex supply chain.
Organizations need to figure out how each company in a supply chain can demonstrate they follow fundamental best practices without having to embed a cyber expert in each company. This is why machine reasoning is required ― we can teach software what the rules are, and how to tell a solid security infrastructure from swiss cheese. Software can then automate the assessment, so that not just one company, but the whole supply chain can step up to a higher level of resilience against cyber attacks.
By now, we’ve learned a lot about how to make supply chains that are resilient to natural disasters ― floods, earthquakes, etc. To achieve the same resilience in an increasingly online world requires moving beyond questionnaires and checklists, and instead using technology to monitor all the technology our supply chains now depend on.