Q: What are we MISSING in the SCRM Discussion?
A: More than 50%
There are many historical examples how we as humans have missed the mark. It was not until Copernicus we better understood that the Earth was not the center of the universe. We did not believe that the Japanese dare encroach upon US dominance in the Pacific in the 1940s. It may be our ignorance and arrogance that have been serious problems for our global progress since the beginning of history. (And, we are only human some may say.)
The current challenge is found in the issue of Supply Chain Risk Management (SCRM). Is it just a matter of “supplies” or “products” that may be compromised, counterfeited, or just faked? Are we ignoring another component just as vital?
Like a vast desert, we may be inadvertently blinded by the expansiveness of the SCRM discussion. There may be another danger we are ignoring. The missing piece is:
SERVICES COMPONENT
While we may be able to rely on Approved Product Lists (APL) or scanning tools and software, we are likely failing to recognize an even greater threat. The threat posed by the people behind the product. These individuals are providing the source code, chip manufacturing, or ongoing maintenance support. We need to better understand the “upstream” individuals in order to better defend our IT systems.
This should be a needed next step as cybersecurity professionals work with governments, agencies, and businesses to better fortify their systems and networks. These individuals are further along the “supply chain,” and may in fact be able to inject unauthorized changes before, during, and even after the product is sold? Consideration needs to be made as we continue to address nation-state and lone-wolf actors on the Internet that are both growing and evolving sometimes far faster that the technical defenses alone.
Here are a few quick suggestions:
- Conduct background checks of employees, subcontractors, vendors, etc.
- Implement Continuous Monitoring–both automated and manual means to ensure protection from ongoing attacks against IT systems and environments.
- Implement training and education that reinforces Human Resources’ (HR) policies and procedures that clearly advises individuals of civil and criminal liabilities.
For example, while the discussion and debate continues regarding Chinese firms Huawei and ZTE by the US Government, let us consider the following suggested dichotomy that may offer a better construct for a complicated issue:
SCRM-P (Products)
SCRM-S (Services)
How do we better think about this emerging issue, and its global impacts?
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.
