Robert Hannigan is a senior member of The Cyber Initiatives Group, powered by The Cipher Brief.
EXPERT POINT OF VIEW – Asked recently what risk he was most concerned about, alongside Taiwan and Ukraine, Cipher Brief expert Gen. Stanley McChrystal said it was cybersecurity, especially in the chain supply.
General McChrystal is one of a growing group of America’s most senior operational and strategic commanders, including former Chairman of the Joint Chiefs of Staff Admiral Mike Mullen, who views the supply chain threat as existential. Unless the supply chain can be secured, the entire infrastructure upon which Western economies rely, let alone their military defenses, will be compromised.
Two factors have brought the otherwise arid topic of supply chain security to the top of the political risk table. One of them was the pandemic, during which we became painfully aware of the fragility of supply chains and the over-reliance of Western countries on external suppliers, especially in China. We also realized how little we understand our supply chains – what companies are in them, who owns them, who controls them, and how they can be disrupted.
The other factor was the attack on SolarWinds almost exactly a year ago. The sophistication of this software supply chain compromise, which had likely been active for at least a year before its discovery, grabbed headlines around the world. This was in part because SolarWinds Orion was used by a variety of government agencies and large corporations. More acutely than many previous third-party compromises, he illustrated why companies in the supply chain are such attractive targets: their security is often poor, and they represent a smoother means of accessing a vast range of customers, including many companies that in themselves would be a target. The supply chain is the perfect asymmetric attack.
The Cipher Brief hosts private briefings with the world’s most experienced national and global security experts. Become a member today.
Interest in it leads to some positive focus.
There are two challenges. The first is visibility. Governments and businesses need to understand what the security of their tens of thousands of vendors looks like in real time. This means having the same attitude towards the ecosystem of third parties as they would towards their own networks. It also means understanding ownership and control and a range of other dependencies. This requires constant monitoring of the supply chain, not occasional compliance exercises. Ultimately, this will likely have to be required by regulation, but there is no need to wait for it.
Go beyond the headlines with expert views on today’s news with The Cipher Brief’s Daily Open Source Podcast. Listen now or wherever you listen to podcasts.
Beyond visibility and understanding, we must act. We need to move from assessing risk and admiring the problem to solving it. This means taking a range of actions ranging from helping vendors address weaknesses to resolving ownership issues. New UK legislation giving the government increased powers to intervene in mergers and acquisitions for national security reasons is long overdue and aligns it with other Western countries. But these assessment processes will need to become dynamic and constant to reflect the ever-changing nature of modern supplier ecosystems.
The complexity of the global supply chain is the creation of open economies and democratic societies; but unless it is guaranteed, it will end up undermining them.
Learn about the perspective and analysis of national security information conducted by experts in The encryption brief