Broadening the Lens on Supply Chain Security in the Cyber Domain

Huawei and ZTE are not the only foreign companies that pose a risk to American national security. Other companies from China and Russia, such as Lenovo or Kaspersky, may also pose threats to American national security, given their countries’s problematic legal structures and history of cyber espionage.

Until now, the U.S. has lacked a unified strategy for dealing with supply chain vulnerabilities. The fragmentation of responsibility regarding makes cross-department communication and cooperation all the more imperative. If the U.S. approach to supply chain risk is not transparent, American citizens will be put at risk.

The new Federal Acquisition Security Council, created by the SECURE Technology Act, will need to address: (1) what public and private sector assets it should protect from supply chain risk; (2) the supply chain threat actors who pose the greatest risk; (3) the malicious tactics, techniques and procedures that such threat actors use or are likely to use in order to accomplish their objectives; (4) the vulnerabilities that exist to U.S. information systems and devices; (5) the most effective and efficient defensive measures and mitigation strategies for thwarting adversaries and recovering from failed mitigation efforts; and (6) the metrics and measures that public and private sector entities should use to accurately assess the supply chain threat and the effectiveness of risk mitigation and recovery efforts put in place to address those threats.