This post is also available in: עברית (Hebrew)
It appears that supply chains crucial to the US economy and national security are vulnerable to cyber threats.
US President Biden’s executive order on America’s Supply Chains issued in February 2021 gave seven Cabinet agencies a year to assess six critical industries for supply chain vulnerabilities, mainly software. Recent reports by several departments have revealed a wide range of vulnerabilities.
The departments of Commerce and Homeland Security found open-source software and firmware within the information and communications technology (ICT) industry vulnerable to exploitation by foreign adversaries and crime groups.
“The ubiquitous use of open-source software can threaten the security of the software supply chain given its vulnerability to exploitation,” reads Commerce and DHS’s report. “Furthermore, the complexity of the ICT supply chain has led many original equipment manufacturers (OEMs) to outsource firmware development to third-party suppliers, which introduces risks related to the lack of transparency into suppliers’ programming and cybersecurity standards.”
The Department of Energy‘s report deemed untrusted software developers a key vulnerability within the clean energy supply chain. The pandemic revealed an overreliance on software developers with opaque supply chains and a high risk of “cascading effects” should their products be compromised.
For that reason, Commerce and DHS recommended increasing investment in domestic software development, which already accounts for 40% of the U.S. workforce but is still seeing a talent shortage.
DOE recommended developing new supply chains for emerging technologies like machine learning and artificial intelligence with cybersecurity in mind, given the fact that energy sector systems are increasingly interconnected and automated. The report further advised DOE to partner with other agencies to create an Energy Sector Industrial Base Database and analytical and decision-modeling capabilities while increasing oversight.
Commerce and DHS suggested promoting cybersecurity-supply chain risk management (C-SCRM) practices through procurement and monitoring efforts, including the establishment of a Critical Supply Chain Resilience Program at the former.
The Department of Defense called cyber posture “essential” to mission success in its report and stressed a focus on C-SCRM to counter threats presented by suppliers, their products and subcomponents, and the supply chain itself. DOD recommended improving cyber threat intelligence with more detailed reports and cyber threat intelligence briefings. The department further advised increasing sharing of unclassified and classified cyber intelligence by growing its Cyber Crime Center (D3C) Defense Collaborative Information Sharing Environment (DCISE) and the National Security Agency’s Cybersecurity Collaboration Center, as reported by fedscoop.com.