Over the last few years, policymakers in Washington, D.C. rightfully recognized that malicious actors could use the government’s information and communications technology (ICT) supply chain as an attack vector. However, subsequent efforts to thwart that threat have too often been reactive and superficial in their assessment of risk.
After Russian hackers allegedly worked with cybersecurity firm Kaspersky Labs to infiltrate U.S. National Security Administration (NSA) systems in 2015, the U.S. Department of Homeland Security (DHS) issued a Binding Operational Directive banning Kaspersky products from government networks. After intelligence emerged detailing the nefarious business practices of Chinese manufacturers Huawei and ZTE in the last few years, Congress passed multiple laws barring federal use of this equipment. The United States has played an elaborate game of whack-a-mole, creating a sprawling array of policies that, for the most part, either ban specific entities from government networks or make risk decisions based entirely on a source’s country of origin.
But at the end of the day, none of this proved effective against the recent SolarWinds Orion breach, which was arguably the biggest supply chain cyber-attack in U.S. history. The focus on a potential vendor’s country of origin could not account for the possibility of an adversary breaching U.S. networks by using a compromised American company as a conduit. Moreover, the cost to government agencies of coming into compliance with this patchwork of requirements detracted from federal IT personnel's ability to establish effective and proactive cybersecurity practices. A concerning report from the U.S. Government Accountability Office found that most government agencies did not follow established supply chain risk management (SCRM) best practices or have their own SCRM plans. In order to quickly improve the U.S. cyber and supply chain security posture, policymakers must reimagine an idea of a “trusted supplier” that looks beyond merely a source’s country of origin.
Fortunately, much of this work has already been done. For instance, the Prague Proposals endorsed by the U.S. government at the Prague 5G Security Conference as well as recommendations released by the Center for Strategic and International Studies (CSIS) fully consider what it means to be a trusted 5G vendor, and these recommendations can easily be extended to the broader IT ecosystem. Particularly, the CSIS recommendations acknowledge that while a source located in an adversarial nation state can pose a security risk, there are significant mitigation actions the source can take to offset that risk.
How can policymakers put these principles into practice? They should start with one simple policy change, as recommended by the DHS ICT Supply Chain Risk Management Task Force: requiring all federal acquisition personnel to source IT equipment from original equipment manufacturers (OEMs) or their authorized resellers. This will sharply reduce the risk of inauthentic end items and components, which will not have received the latest security upgrades and might be susceptible to tampering or malicious code, being plugged into government networks. Moreover, acquisition personnel should rely on Qualified Bidder Lists or Qualified Manufacturer Lists to establish their own trusted suppliers for high-priority IT procurements and update these lists frequently.
Government vendors should have the opportunity to proactively demonstrate the actions they take to protect their networks and supply chains through enhanced cybersecurity and product integrity mechanisms. Full implementation of NIST 800-161, Supply Chain Risk Management for Federal Information Systems and other global, industry-led standards like International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 20243, ISO/IEC 27036, and the International Society of Automation (ISA)/International Electrotechnical Commission (IEC) 62443, should be considered the hallmark of a trusted supplier. Vendors’ demonstration of enhanced product security practices like cryptographic code signing should also be strongly considered by acquisition personnel which evaluating bids.
Earlier this year, ITI released its U.S. Competitiveness Agenda, which outlines a broad scope of policy recommendations that would advance innovation and reinforce the U.S.’s position as a global economic leader. To further promote the goals outlined in the supply chain context, ITI recommends consolidating the current patchwork of requirements into a single risk-based framework, financially investing in SCRM, holding agencies accountable for their SCRM posture, and optimizing risk information sharing between the public and private sectors. We plan to build on this work as an engaged partner in efforts to secure the federal ICT supply chain and look forward to working with policymakers and federal personnel to secure government IT networks and reduce the magnitude of another breach.