Compliance Report. PHOTO: Cybercrime Magazine.

Compliance Report: It’s Time to Rethink Supply Chain Management to Include Cyber Risk

Why business, thought, and government leaders have their eye on supply chain cybersecurity

Rob Hegedus, CEO at Sera-Brynn

Suffolk, Va. – Feb. 15, 2018

True supply chain resiliency will rest on cybersecurity. According to research published by the SANS Institute, up to 80% of breaches are a result of supply chain issues. Recent and emerging laws imposing cyber requirements on industry, especially those that handle or create sensitive, non-classified U.S. government data, are directly addressing cybersecurity in the supply chain. In some cases, investing in supply chain cybersecurity is forward-thinking and competitive. In other case, there is an applicable law that just straight-up imposes cybersecurity and reporting requirements on an organization’s suppliers, subcontractors, and third-party vendors.

In this report, Sera-Brynn will discuss how and why companies and organizations are expanding cyber risk management to secure their supply chains.

But First, A Very Brief History

The use of supply chains to efficiently produce goods evolved over hundreds of years — from moving goods along the Silk Road, to Viking shipbuilding, to the Industrial Revolution. The American System of Manufacturing, credited with advancing the use of pre-manufactured parts, assembly lines, and mass production, started in the 1800s and peaked in the 1960s. The International Organization for Standardization (ISO) began operations in 1947 to help standardize industrial practices and continues to this day. After the internet was created and web browsers made it accessible (Mosaic was created in 1993; Google in 1998), cyber risk became a prominent threat to supply chain production.

Supply Chain Management Today

Today, managing supply chain performance at high-functioning companies typically includes state-of-the-art technologies to enhance visibility into the chain, as well as the periodic use of outside experts or consultants to look for ways to boost performance. However, many companies manage their supply chains manually – with tools like spreadsheets and DIY databases. The trend now is to include cyber risk in any multi-dimensional approach to managing a supply chain, which is now conceptualized as an “ecosystem” rather than a linear “chain.”

Why the trend?

One reason is that cyber-attacks involving “back door” penetration through the supply chain are prevalent and newsworthy. For example, it was highly-reported that the 2013 data breach suffered by the retailer Target, where up to 40 million credit and debit cards were stolen, was caused by hackers accessing Target’s network by using credentials taken from a third-party vendor, a refrigeration and HVAC company. Media outlets are replete with stories of professional vendor breaches – like law, accounting, consulting, financial, and Wall Street firms. In 2017, it was widely reported that hackers stole money from third-party Amazon seller accounts.

Typical spear phishing attacks are successful because they take advantage of trusting business relationships, like those in the supply chain. The 2017 Cybersecurity Ventures Crime Report states that 91% of attacks by sophisticated cybercriminals start with spear phishing emails. When a cybercriminal spoofs a vendor’s email, creates a fake vendor webpage, and manages to collect a payment, this is a supply chain vulnerability. The crime demonstrates how interconnectivity is intrinsically exploitable. And this makes supply chain management very challenging.

Legal Requirements Drive Cybersecurity in the Supply Chain

Many U.S. and international laws now demand that businesses address cybersecurity throughout their supply chain. Some legal requirements that impact supply chain management include:

FAR and DFARS – Right now, under the Defense Federal Acquisition Regulation Supplement 252.204-7012, Defense contractors and their contractors must comply with cybersecurity and reporting requirements. There is an express supply chain flow-down clause embedded in the regulation. Most recently, the U.S. government announced its intent to start rulemaking in April 2018 to impose cybersecurity program requirements uniformly across agencies. Sera-Brynn is preparing for the expansion of the Controlled Unclassified Information (CUI) requirements we now see in Defense acquisitions to nearly all the executive agencies. We expect that third-party vendors will be addressed in this new regulation — which will undoubtedly have major impact on U.S. government contracting.

FedRAMP – There are detailed vendor management and acquisition requirements for Cloud Service Providers (CSPs) who are or would like to be part of the Federal marketplace.
Financial Services – Requirements for managing third party service providers are built into the New York State Department of Financial Services cybersecurity rule, and the Financial Industry Regulatory Authority includes provisions in its cybersecurity checklist for third parties handling sensitive information.

GDPR – The European Union’s General Data Protection Regulation (GDPR) has global reach and imposes penalties on companies that fail to secure their supply chain. It goes into effect in May 2018.
Other regulatory authorities, like the U.S. General Services Administration (GSA) and the U.S. Department of Homeland Security (DHS), are also in the process of writing rules that may impose requirements on supply chain management. Sera-Brynn, and other industry analysts, agree that the need to adhere to legal requirements is a major factor in the upward trend to manage cyber risk in the supply chain.

Cybersecurity in the Supply Chain is a National Security Priority

Lastly, supply chain resiliency is not only a business objective, it is a national security priority. On December 18, 2017, the White House released the National Security Strategy (NSS). Published every four years, the document identifies the vital national interests of the country and sets the tone for the executive branch’s national security policy. The policy specifically calls for improved cybersecurity within the Federal Government networks, critical infrastructure, American businesses, the Defense Industrial Base, and the U.S. National Security Innovation Base.

Supply chain cybersecurity is named as a vital national interest, as cyberattacks “cripple American businesses, weaken our Federal networks, and attack the tools and devices that Americans use every day to communicate and conduct business.” (NSS, at page 12). The NSS calls for improved response to cyberattacks on the country’s Defense Industrial Base as a “priority action,” stating:

    • A healthy defense industrial base is a critical element of U.S. power and the National Security Innovation Base. The ability of the military to surge in response to an emergency depends on our Nation’s ability to produce needed parts and systems, healthy and secure supply chains, and a skilled U.S. workforce. (NSS, page 29)

The National Security Policy also calls for greater cybersecurity in the U.S. National Security Innovation Base, the network of American companies, research institutions, universities, and laboratories that innovate. Specifically, the NSS calls for the need to protect the Innovation Base’s data and intellectual property from theft and other malicious activities, stating:

    The United States will expand our focus beyond protecting networks to protecting the data on those networks so that it remains secure—both at rest and in transit. To do this, the U.S. Government will encourage practices across companies and universities to defeat espionage and theft. (NSS, page 22)

Thus, from the U.S. government’s perspective, the innovation in thought and materials that flows from the private sector and academia is part of an interconnected web of suppliers – all of which face real risks in cyberspace. As a result, the analysts at Sera-Brynn fully anticipate that NIST-based standards will be imposed on more and more suppliers, in one fashion or another.

Sera-Brynn predicts that supply chain management in every sector will include cyber risk as a core component. Ultimately, the best supply chain strategy will fail if it doesn’t include cyber risk management.

Compliance Report Archives

Rob Hegedus is CEO at Sera-Brynn, a global Cybersecurity Audit and Advisory firm.

Contributors: Colleen H. Johnsons, Senior Cyber Legal Analyst; Heather Engel, Chief Strategy Officer.

Sera-Brynn is a FedRAMP Third Party Assessment Organization (3PAO) specializing in cyber risk management. Offering compliance and risk assessment, risk control, and incident response services, Sera-Brynn empowers clients to manage cyber risk and meet applicable and mandatory cybersecurity regulatory standards. Founded in 2011 by former members of the U.S. intelligence community, Sera-Brynn is ranked #9 worldwide on the Cybersecurity 500 list.