Security pros draw a line at the firewall--what happens "out there" might be beyond their control, but a secure perimeter is intended to protect the data and systems within. That view, however, fails to take into account the role of developers, vendors, customers, users, and others along the supply chain of IT systems, hardware, and software coming into the enterprise. A new school of practice advocates a more encompassing approach to security that leaves none of those touch points unchecked.
It's called the cybersecurity supply chain, and, as it sounds, it applies the principles of supply chain management--product assembly and acquisition, data sharing among partners, governance, and more--to the security of IT systems and software. "Organizations need to realize that their borders are porous," says Jim Lewis, director and senior fellow of the Center for Strategic and International Studies' technology and public policy program. "We're no longer living behind a moat. It's not just how secure you are, but how secure the people you connect with are as well."
What comprises a cyber supply chain? Researchers at the University of Maryland's Robert H. Smith School of Business and the IT services firm SAIC, in a white paper published in June, define it as "the mass of IT systems--hardware, software, public, and classified networks--that together enable the uninterrupted operations" of government agencies, public companies, and their major suppliers. "The cyber supply chain includes the entire set of key actors and their organizational and process-level interactions that plan, build, manage, maintain, and defend this infrastructure."
Foreign nations already are carrying out supply chain attacks on IT systems belonging to the U.S. government, according to a presentation by Mitch Komaroff, director of the Department of Defense CIO's globalization task force. A simple example is hardware being delivered with malware installed. In the private sector, financial firms have become regular targets. These two sectors are also the most aggressive in looking at ways to fight the problem.
Two government efforts--the Bush administration's Comprehensive National Cyber Initiative and the Obama administration's Cybersecurity Policy Review--direct federal agencies to shore up their cyber supply chains. "The growing sophistication and diversity of cyberattacks makes this a threat," says Nicole Dean, deputy director of the Department of Homeland Security's National Cybersecurity Division, which oversees the Comprehensive National Cyber Initiative.
In most companies, tackling this problem will require new levels of collaboration among security, IT, and supply chain managers. "From a defensive standpoint, few supply chain managers or supply chain risk managers have aligned their mission with their computer security center, and they're not commissioned to conduct joint operations," says Hart Rossman, CTO of cybersecurity solutions with SAIC and co-author of the cyber supply chain white paper. "If you think hardware or software has been compromised out of the box and you call your cybersecurity team, they're probably not prepared to deal with it because they're looking for viruses."
Counterfeiting is another risk. The Department of Justice recently arrested three California residents on counterfeiting charges. According to the indictment, the three imported counterfeit microprocessors from China. They also obtained legitimate chips, removed their original markings, then resold them to government agencies as "military grade" components.
