Supply Side Cyber
The good news: Pretty much everyone agrees that the United States needs to act ASAP to secure its information and communications technology (ICT) supply chain.
The bad: For researchers, congressional staffers and the concerned public alike, the environment is changing, fast. And it’s hard to keep up.
For the rest of the year, as part of its efforts with the Secure and Competitive Markets Initiative, the R Street Institute’s Cybersecurity team will be putting out a limited series offering an overview of the top five developments in ICT supply chain security for that month.
The bottom line: Supply chain security is complicated: the more accessible it is to more people, the better we can rise as a community and country to meet the challenge.
Got a new ICT supply chain report that you think we should highlight? Send it our way! Did we make a mistake? Let us know! [email protected]
- The Endless Frontier Act gets a new name—and a wide range of new priorities
Update: On June 8, the U.S. Senate passed the U.S. Innovation and Competition Act by a vote of 68-32.
The bipartisan legislation designed to bolster U.S. investment in technology and innovation will be taken back up this week in the Senate. Introduced by Sens. Chuck Schumer (D-N.Y.) and Todd Young (R-Ind.) earlier this year, the Endless Frontier Act has spiraled from a discreet yet ambitious bill originally proposed in the 116th Congress to a 1400+ page monster renamed the “U.S. Innovation and Competition Act.” Critics aren’t thrilled.
As it currently stands, the bill paves the way for billions in new and replacement funding to spur the creation of new technology hubs across the country, increase investment in semiconductor research and manufacturing, and stand up a technology directorate at the National Science Foundation. There’s also a directive to the Commerce Department to create a new “supply chain resiliency and crisis response program,” new reporting requirements, and a response and recovery fund for local governments responding to cyber crises. We’re pretty sure it’s got funding for 5G and NASA too, but we got lost somewhere in the amendments adding labeling requirements for king crab. In short, this bill is about countering China by focusing on U.S. competitiveness—and on the whole, we’d like to see some version of it passed.
For more: If you’re looking for a short comprehensive take on the bill’s components, see here. For the latest on how a vote on the bill has been further delayed, see here. And if you’re into podcasts, Lawfare has got a good take here.
- The GAO gets ghosted
Just before the 2020 election last fall, the Government Accountability Office (GAO) privately warned 23 key U.S. agencies—including the Departments of Homeland Security, Justice and Commerce; the National Science Foundation; and Office of Personnel Management—that their ICT supply chain security strategies were not up to par, and dished them up 145 recommendations to fix the problems. In the wake of the SolarWinds hack, the GAO dropped a public version of the report, flagging that none of the agencies had implemented the full slate of recommendations and that some hadn’t implemented any. Five months later, the GAO’s inbox remains relatively empty. On May 25, the GAO testified before Congress, warning that, once again, their recommendations were being treated more like advice from your parents about your love life.
Why does this matter? In addition to making the poor folks at the GAO struggle to repackage the same advice in a fresh way in their fall check-in evaluating agency responses to SolarWinds, this stagnation leaves agencies vulnerable to exploits and campaigns. While agencies blamed the delay on an absence of guidance from the Office of Management and Budget’s Federal Acquisition Security Council (FASC)—which was supposed to finish its recommendations last year—the GAO pointed them back to other examples of federal guidance and said to get a move on. But that’s really all they can do at this point: the GAO is a congressional watchdog, and it doesn’t get to tell executive agencies how to live their lives—that’s what the Cybersecurity and Infrastructure Security Agency (CISA) is for.
For more: If you’re dying to read the GAO’s unclassified 2020 report, it’s here. If you’re looking for the congressional testimony, it’s here.
- No Quick Fix to Supply Chain Challenges—A Global Challenge Through the Eyes of Cisco
At this point, everyone’s heard about the global chip shortage that’s impacting supply chains globally—but what does it mean for a U.S. networking heavyweight?
Cisco CEO Chuck Robbins and CFO Scott Herren have both stated that they expect supply chain troubles to affect their operations for the rest of 2021. Despite a 10 percent growth in product orders this quarter, Cisco has faced increased costs to keep manufacturing and shipping lines up and running. This means biting into what would otherwise be a nice earnings rebound after the effects of the COVID-19 pandemic—seeing as Cisco is trying to hold the line here and avoid passing on costs to the customer. While noting that other companies have yet to report disruptions as serious as Cisco’s, everyone’s hurting: many key U.S. manufacturers have reported shortages, production halts and disruptions.
Of course, a global problem requires a global solution—because as much as we talk about reshoring, alliances are indisputably a major part of the picture. At the end of April, the United States, Japan, Australia and India banded together to form the Supply Chain Resilience Initiative to form new supply chain partnerships between allies and promote security—a move that, of course, China viewed with equanimity.
For more: See President Joe Biden’s venting session on the chip problem with leading industry CEOs of General Motors, Ford, Google, Intel and representatives from the Taiwan Semiconductor Manufacturing Company and Hewlett-Packard. And here’s a new report from the Atlantic Council, explaining how the United States and Japan can improve their cooperation on semiconductors, rare earth minerals and more.
- The Cyber Executive Order
On May 12, President Biden signed the long-awaited “Executive Order on Improving the Nation’s Cybersecurity.” We were expecting a pretty wonky piece of policy, and it doesn’t disappoint.
For our purposes, the most interesting part of the executive order (EO) is its new software security requirements. The EO gives the National Institute of Standards and Technology (NIST)—the government agency rooted in the Department of Commerce and in charge of standards-setting for the United States—the responsibility of coming up with new guidelines and requirements for any software sold to the federal government. The NIST is also tasked with publishing the minimum requirements for a software bill of materials (SBOM, pronounced “s-bomb”) which is the cybersecurity equivalent of labeling the ingredients in commercially produced food.
The SBOM tells a purchaser what software components the developer put into the product they’re selling you. Why do we need this? It’s because so much of modern software relies on common elements, many of them open-source, and many of which are known to have vulnerabilities in them. There’s hope that an SBOM will: 1) encourage transparency on software development; and 2) force developers to rise to a higher standard of software security because they’ll get called out for using insecure components. Really, it’s mostly up to the NIST and the CISA to make the decisions that will ultimately define whether this EO packs a punch.
For more: If you’re not interested in reading the 8000+ word order by itself (here), you can take advantage of the Atlantic Council’s excellent inline mark-up, here.
- Colonial Pipeline’s No Good Very Bad Day
Of course, we have to touch on the Colonial Pipeline hack. We know, we know—an ICT supply chain issue didn’t cause it. But it was a huge disruption that exposed massive vulnerabilities in the U.S. supply chain and let’s face it: if there’s not enough gas or jet fuel to get 535 members of Congress home to their districts, no one is going to be talking about ICT supply chain security at all. (And for what it’s worth, the GAO already took the opportunity to say “I told you so” (see page 6)).
So, what happened here? DarkSide, a secret criminal nerd syndicate that appears to operate out of Russia, hit Colonial Pipeline with ransomware, locking up the company’s business systems. What was great was that the company had data backups. What wasn’t great was that it didn’t have the ability to get its systems back up and running. So Colonial shut down its 5,550+ mile pipeline that transports 45 percent of the East Coast’s gas and jet fuel, sending panicked customers flocking to the pumps to fill up their cars—and gas cans, storage bins and plastic grocery bags—with fuel. Not a great look.
The ICT supply chain security lesson in the Colonial Pipeline saga is that while we need to focus on preemptive security measures, the key word here is resiliency. Our supply chains are often going to take hits, whether owing to the COVID-19 pandemic, a SolarWinds-style hack or something else unexpected. The point is it’s unexpected. How we respond to these events matters. Because Colonial could have been a lot worse.
For more: Check out the R Street Institute’s post-mortem discussion panel on the hack, featuring panelist experts Maggie Morganti, Robert Knake and Nina Kollars, not to mention the Cybersecurity team’s own Tatyana Bolton and Paul Rosenzweig. And if you’re looking for a short explainer on why taking out a company’s business-side computers shut down its pipeline, here you go.
Image credit: toria