More choice leads to lower risk.
What is supply chain security?
A supply chain is the beginning-to-end process of designing, making, selling, and using a product. It is rare for one business to control the entire cycle, and most technology companies rely on many different suppliers spread across the globe. One organization mines raw materials. Another turns them into parts. Several others assemble the parts into larger building blocks, and the final goods assembler manufactures the product before distributing it. While software does not require physical shipping, it has its own supply chains, with software engineers across multiple countries developing applications with code from a wide variety of public or proprietary sources.
As these technology supply chains have become more complex, it has become increasingly difficult for individuals, organizations, and nations to understand and manage the associated risks. How can a power plant operator be confident that a safety sensor manufactured abroad has not been tampered with? How does a government agency ensure its new teleworking platform will not provide a backdoor for foreign intelligence agencies? How should an entire industry plan for the possibility of losing access to a rare element sourced from one country? Supply chain security aims to provide answers to these types of questions.
Why is this a priority?
Globalized technology supply chains have left the United States, its allies and partners, and critical industry sectors dependent on hardware and software components that could contain security vulnerabilities because of substandard design or malicious compromise. These vulnerabilities are especially serious because they can be difficult to detect and extremely costly to remedy once discovered, particularly when they are embedded in installed hardware that has a long lifecycle, which is a common scenario in critical infrastructure. And because supply chain components can constitute single points of failure, a security compromise in a widely used component could allow adversaries to launch devastating attacks with far-reaching impacts. In addition, overreliance on technologies produced or controlled by a small number of entities raises the specter of sudden restrictions that could cripple critical agencies or sectors.
While industry and government might diverge on specific methods for achieving supply chain security, most stakeholders agree on the goal: reliable and secure supply chains. Virtually all security practitioners and company managers want to reduce the degree of risk in their supply chains, which requires increased transparency, information, and choice.
- Robust competition in all markets that produce security-critical technology products and services.
- Increased information on and transparency of the components and security features of technology products and services, allowing businesses and agencies to better manage their supply chain risks.
What have been the obstacles to progress?
- Business realities: Companies and their executives need to generate—they are compelled by economic competitiveness and the fiduciary duty. As such, many firms select the lowest cost provider for components. This often compromises security to some degree, and many companies factor that additional risk into their decision making. At the same time, the national security risks of their decision—using lower cost options—are not necessarily apparent from available information. As a result, policymakers may frequently have trouble persuading some private companies to switch to alternative suppliers that the policymakers believe pose less of a risk to national security.
- Lack of choice: Companies who might be willing to pay more for less risky supply chain components run into another challenge. In many sectors, a few technology suppliers dominate the market for certain products and services, limiting the ability of companies to take their business elsewhere.
- Reactive policy: Supply chain security demands foresight. Companies need to anticipate changes to their industry years in advance to adjust their business and plan investments. For example, it was clear many years ago that 5G networking equipment would become a central element of critical infrastructure. Yet policymakers only recently began working with industry to improve market competition in this space.
- The country-of-origin approach: National security concerns relating to supply chains sourced from specific countries are unlikely to persuade multinational, profit-minded businesses to upend their technology supply chains. Country-agnostic risk management strategies are more likely to appeal to CEOs and their board members.
We propose that the next administration and Congress advance supply chain security through two interrelated lines of effort:
- Market competition: Expand market competition in critical technology sectors to maximize access to products and services that meet acceptable security standards and can be sourced from trustworthy suppliers.
- Organizational risk management: Promote practices that can minimize the risk posed by threats (known or unknown) and vulnerabilities introduced via hardware, software, and technology suppliers, whether they are trustworthy or not.
Our aim is to generate a virtuous cycle of market incentives. Robust market competition incentivizes suppliers to meet customer demands for more secure technology. This in turn strengthens organizational risk management by creating a marketplace of trustworthy suppliers.
Of course, even the most secure, vetted technology system presents some security risk. Adversaries will always seek to exploit vulnerabilities and compromise supply chain integrity. Guaranteeing affordable access to trusted suppliers does not reduce the importance of defense-in-depth and risk mitigation strategies. Thus, promoting organizational risk management among critical companies and agencies must always remain a central concern for supply chain security.
- Promote security transparency. Organizational risk management benefits from transparency on how products and services are designed, implemented, and managed over time. Consumers, security practitioners, and procurement professionals need information on coding practices and the security features of hardware and software products. Some ongoing initiatives offer a solid foundation for encouraging more transparency among technology manufacturers and software developers:
- Device labeling. As the Internet of Things (IoT) continues to expand, insecure IoT devices are becoming integrated into home, small business, and larger enterprise networks. Many of these products fail to adhere to consensus security standards, such as the Aspen Cybersecurity Group’s IoT Security First Principles or more detailed guidelines like the NIST IoT Device Cybersecurity Capability Core Baseline and the C2 Consensus on IoT Device Security Baseline Capabilities.For years, observers have floated the development of a security labeling regime akin to the “Energy Star” label for efficient home appliances. The idea is to give security-conscious customers enough information to base at least part of their purchasing decision on cybersecurity risk, while creating demand for better security among customers who never think about it. This will in turn create market pressures for IoT manufacturers to adhere to best security practices. Researchers at Carnegie Mellon University have developed a prototype label design, and the Food and Drug Administration has issued draft guidance for medical device manufacturers with recommendations regarding labeling.Some doubt the value of IoT security labeling, questioning if labels that simple enough to understand might mislead users and create a false sense of security. Some research indicates otherwise, and Finland, Singapore, and the United Kingdom are all rolling out their own labeling regimes. The European Union’s cybersecurity agency also has plans to develop IoT security certifications following a new landmark law in 2019. The time is ripe for the White House and Congress to assemble a handful of willing IoT manufactures to pilot real-world IoT security and privacy labels. This pilot will allow researchers to test the real-world effects of labels and zero in on standardized labeling criteria.
- Tools for managing risk of third-party software components. Many modern software products are a mishmash of smaller, third-party components that are created by a wide range of software developers. In most cases, it is extremely difficult for purchasers to know exactly what these components are and what vulnerabilities they might contain. Even for knowledgeable users and security practitioners, a lack of transparency makes managing risk challenging. The development and implementation of best practices, both for transparency and risk management, can support organizations as they integrate and leverage third-party components and software. Through an open, multi-stakeholder process, the National Telecommunications and Information Administration (NTIA) is developing the technical and operational practices for software developers to communicate the “ingredient list” of their software products, known as a Software Bill of Materials—a potentially helpful tool, albeit one with limitations. In addition, the Software Assurance Forum for Excellence in Code (SAFECode) has detailed recommendations for a lifecycle approach to managing security risks inherent in third-party software components.
- Create critical technology testing centers. Per a recommendation by the U.S. Cyberspace Solarium Commission, Congress should authorize federal agencies to designate, and provide appropriations for, three independent research organizations to evaluate and test the security of critical technologies in networking, industrial control systems, and open source software. As appropriate and lawful, the results of such tests should be published to inform industry supply chain management decisions, similar to the kinds of research products published by the United Kingdom’s Huawei Cyber Security Evaluation Centre
- Publish a national industrial base strategy to maximize competition and innovation. Efforts to promote market competition in security-critical technology markets will require a proactive, whole-of-government approach that reflects the need for more active government participation while explicitly rejecting the kind of aggressive, nationalist market interventions practiced by other countries. The first step is a joint government-industry strategy “to ensure more trusted supply chains and the availability of critical information and communications technologies,” a key recommendation of the Cyberspace Solarium Commission.At a minimum, such a strategy should:
- Identify critical technology dependencies now and in the foreseeable future;
- Analyze where present and future market concentration could undermine the reliability or security of critical technology components;
- Articulate how current statutory and presidential authorities support specific programs for promoting market competition in those sectors to reduce market concentration;
- Specify statutory or regulatory changes necessary to promote such market competition;
- Consider both immediate and long-term impacts of potential actions on the competitiveness and R&D capabilities of U.S. and allied industries; and
- Outline objectives for generating a consensus with allies and partners on ensuring long-term, sustainable competition in critical technology markets.
Notably, this strategy should not seek to identify and strengthen “national champions”—individual companies that receive special, targeted federal assistance or regulatory relief. The stated purpose of this strategy should not be to ensure that only U.S.-based firms dominate every critical technology market worldwide. This could lead allies and industry partners overseas to conflate supply chain security with trade disputes, which turn on politics, not risk-based security analysis. The goal of an industrial strategy for supply chain security is to promote market competition and innovation to increase the availability of trustworthy technology suppliers, some of whom will have overseas headquarters in Europe or elsewhere. Yet this approach will clearly benefit American workers for the simple reason that competition and innovation are chief comparative advantages of American industry.
- Promote financial support for free and open source software. The digital economy is built on a foundation of free and open source software (FOSS). Countless companies depend on FOSS tools, libraries and applications to conduct critical business functions. Yet despite its central importance, FOSS code is often supported by volunteers who work without any dedicated budget and struggle to ensure its security. This presents serious risks for the digital economy. In 2014, after experts discovered a potentially disastrous security flaw called Heartbleed in an open source encryption tool used globally, one open source expert remarked, “[The] mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often.” Addressing this resource gap requires that executives in all major industries (not just the tech sector) recognize their dependence on FOSS and commit to supporting the nonprofits that develop and maintain it. The Open Source Security Foundation (OpenSSF) is a new effort to promote collaboration between industry leaders interested in investing in open source security. The federal government should facilitate progress by encouraging more companies to join OpenSSF and directing more federal funding toward research on and the operational management of more secure open source infrastructure.Foundations and other philanthropic organizations are a destination for such funding, but in the early 2010s, the Internal Revenue Service began applying more scrutiny when granting 501(c)(3) status to organizations focused on open source development. This has generated a perception across the tech community that open source nonprofits might struggle to obtain tax-exempt status. In 2017, researchers with the Berkman Klein Center at Harvard observed that “501(c)(3) status appears harder to obtain than ever for open source software organizations.” This is a key barrier to the secure and responsible management of the nation’s open source digital infrastructure, and IRS leadership should publicly clarify the rationale, if any, behind applying additional scrutiny to open source software nonprofit applications, as well as issue guidance to assist applicants in expediting the process.
Dig Deeper on Supply Chain Security
- Cyberspace Solarium Commission – White Paper #4: Building a Trusted ICT Supply Chain
- Ford Foundation – Roads and Bridges: The Unseen Labor Behind our Digital Infrastructure
- National Telecommunications and Information Administration – Introduction to Software Bill of Materials
Legislation, Regulations, Executive Orders, and Guidance
- Proposed Regulation – Securing the Information and Communications Technology and Services Supply Chain and Business Roundtable Comments
- Executive Order – Securing the Information and Communications Technology and Services Supply Chain
- Executive Order – Securing the United States Bulk-Power System
- Executive Order – Executive Order on Addressing the Threat to the Domestic Supply Chain from Reliance on Critical Minerals from Foreign Adversaries
- Legislation – MICROCHIPS Act of 2019
- Legislation – Secure 5G and Beyond Act of 2020
- Legislation – Cyber Supply Chain Management and Transparency Act of 2014
- Cyberspace Solarium Commission Legislative Proposal – Designate Critical Technology Security Centers (Page 114)