Supply chains have existed as long as we’ve had commerce. We have proof of extensive supply networks even three and a half thousand years ago with the discovery of a late bronze age Uluburun shipwreck.
The rise of the Internet started a revolution in these time-honored structures, bringing rapid change through improved communication. This produced major benefits—supply chains often became shallower but wider, with increased specialization and more participants in the global exchange. Many of these changes improved efficiency, agility, and for those skilled at adapting, presented new ways to outpace competitors. This all sounds great, but from a security perspective, it also created serious new headaches. Supply chains have become complex and fragile, and prone to disruption from cyberattacks.
Just like a physical chain, a supply chain is only as strong as its weakest link. Today’s issues are about networks of interdependence. We extract major economic benefits from modern supply chains, because each organization can focus on its core mission or specialty. This narrowing of focus is very effective, allowing each organization to be the best at whatever it does—making widgets, transporting them, or adding value by assembling parts made by other specialists. But this same narrowing of focus on just one aspect of a system means the system as a whole becomes fragile.
For example, the person responsible for a large ship can do an amazing job protecting the assembled vessel and the dockyard, but the ship is composed of uncountable parts made elsewhere, under the control of other organizations. If an attacker can’t easily compromise the final ship, they can focus up the chain, compromising components that become part of the ship. This analogy plays out for other applications too—any large system built out of components is only as strong as the security of the weakest component supplier.
Security Costs Money
Therefore, it’s not enough to allow suppliers to compete on price or customer satisfaction. Security costs money. If we just procure everything from the lowest bidder, we will get the (lack of) security we’re paying for.
Security is like quality—you can’t just assume that a supplier delivering a good outcome today will do so tomorrow. The supply chain has had to face the challenge of repeatable quality through standards and audits. Organizations establish baselines of what it takes to make a quality, reliable product, then build their supply chains around those who can meet the standard. The time has come for comparable efforts around cybersecurity and digital resilience across the supply chain.
Unfortunately, while the approach to quality is a good guide to what is needed, the details in cybersecurity are quite a bit different. When an organization specializes in making a thing, or providing a service, they know all about that thing or service, and what constitutes high or low quality. In effect, each player in the supply chain is the expert when it comes to how to achieve quality. Their customers may know more about what specs or quality levels they want to get, but the supplier knows the details of how to meet the bar, where to optimize, and what works.
On the other hand, security problems are abstract, complex, and often divorced from the details of the core mission of the organization. Malware, and defense against malware, is not core competence for any typical organization (except the few companies whose sole focus is making counter-measures). Common attacks that trick well-meaning people into doing foolish things online are based on human psychology and are not unique to any one company. This is why it can be challenging for specialized, optimized, efficient companies occupying a niche in a supply chain to also achieve high levels of security—it’s simply not their core competence.
So how can this be addressed? The supply chain needs to be resilient against cyberattacks, without all the individual companies becoming world-class experts on the evolving cyber threat landscape. Having every company hire an expert just isn’t practical—there aren’t enough such people, even if all the companies could afford to pay them. Instead, we need to focus on measurable standards, and automation to validate compliance.
Publishing more security advice hasn’t worked out well for the last 20 years. There are far too many guidebooks on what it takes to be secure. The core challenge is not that we have a problem figuring out how to make secure systems. The problem is that doing the basics, consistently and at scale, is extremely hard. This challenge is only amplified when spread across a modern, complex supply chain.
New Security Standards
The DHS has established the ICT Supply Chain Task Force for critical infrastructure, and the DoD has published a draft of their Cybersecurity Maturity Model Certification. Both of these are attacking the problem head on, essentially requiring that any participant in these vital supply chains must demonstrate their ability to follow basic security practices. This is a move in the right direction but won’t come cheap.
The real challenge for all supply chains is to figure out how each company in the chain can demonstrate they follow fundamental best practices without having to embed a cyber expert in each company. This is where computers and machine reasoning can help. We can teach software what the rules are and how to tell a solid security infrastructure from one with as many holes as Swiss cheese. With this automated assessment, the whole supply chain can mitigate those holes and step up to a higher level of resilience against cyberattacks.
By now, we’ve learned a lot about how to make supply chains that are resilient to natural disasters such as floods, earthquakes, and fires. To achieve the same resilience in an increasingly online world requires moving beyond questionnaires and checklists, to using technology to monitor all the technology our supply chains now depend on.