Global supply chains span continents and time zones, vastly enlarging potential attack surfaces. When government agencies procure IT products from sources that can’t be verified as secure, they introduce into their enterprise global-scale risk.
Glen Urban, former dean of the MIT Sloan School of Management and originator of trust-based marketing, posited that all successful business is based on trust. Federal agencies must have confidence in a procurement process comprising tens of thousands of suppliers and sub-suppliers.
“If you can’t trust your partners or your supply chain, you are not going to be successful over the long term,” Gardner said.
Like disruptive natural events, bad actors introduce chaos into the supply chain. The biggest source of disruption: State-funded advanced persistent threats (APT) seek to control or sabotage government IT systems and agencies. Similarly, criminal organizations try to embed ransomware in order to extort funds from victims. They also steal private data, such as credit card information, usernames and Social Security numbers to fuel the lucrative and illegal practice of identity theft.
“Civilian hackers, a lesser threat, are dangerous because they are unpredictable,” Gardner said. “Sometimes they screw up networks and shut a whole company down.”
Saboteurs have installed counterfeit components on the boards of products, such as the “ET Phone Home” hack that siphoned off targeted data streams on compromised products. A sample audit of products shipped by a large IT vendor a few years ago found that 30% of parts sold by the company weren’t legitimate components. “Underhanded suppliers … had taken out the boards and put in a lesser board that didn’t run as fast or have as much memory,” Gardner said.
In another potential ruse, a ship departs a location like Taiwan with IT products bound for California. Its tracking system goes down in transit. The vessel arrives two weeks late. Did the ship change course to avoid a typhoon, or some other reason stated by the vessel’s captain, or was there a rendezvous at sea or deviation from the route that compromised the products’ integrity?
Solution: Practicing Procurement Hygiene
Securing the IT supply chain is a process of working with trusted partners to analyze risk and make sound decisions. Established IT companies have relationships with suppliers, developed over decades, that they leverage to reduce that risk.
Historically, the drivers of government acquisitions were cost, performance and scheduling (CPS). Agencies acquired IT products with specific performance capabilities and metrics, on a schedule, at the best value or lowest price technically acceptable. That’s no longer good enough, say a growing number of leaders in the field.
“We’ve got to look at who has the best cybersecurity and who has the most secure supply chain, and only then look at cost, performance and schedule,” Gardner said.
Procuring technology from the low-cost bidder is a high-stakes gamble. Cities victimized by ransomware attacks in recent years were vulnerable, in part, because they had procured IT products with security flaws. “If you don’t make product decisions with security as the No. 1 factor in the selection process, you are putting your mission and your agency at risk,” Gardner said.
Moreover, agencies can anticipate and plan for supply chain disruptions. When a tsunami hits Japan or Taiwan and wipes out a factory, or a tornado levels a large IT storage center in Tennessee, disruptions to supply chains can compromise the functional capacity of agencies that don’t have backup. Agencies can lessen the impact of unavoidable disruptions by planning for redundancy – diversifying procurement channels and partnering with vendors that have strong security records.
“You’re not going to cover every possible threat or risk, so you try to design your system and your processes to identify and focus on major risks, the ones that could cause the most damage,” Gardner said.