About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 [1] (June 29, 2018)

handle is hein.crs/crsmthzzatj0001 and id is 1 raw text is: 1Congressiona Research Service June 29, 2018 Cyber Supply Chain Risk Management: An Introduction Introduction A supply chain consists of the system of organizations, people, activities, information, and resources that provide products or services to consumers. Like other types of goods, a global supply chain exists for the development, manufacture, and distribution of information technology (IT) products (i.e., hardware and software). Recent media have highlighted the risks posed to IT from the supply chain. In 2017, the U.S. Department of Homeland Security (DHS) ordered federal agencies to remove Kaspersky security products from their networks because of risk they posed. Legislation was subsequently enacted codifying that order. In addition, stories of persistent administrative passwords on devices or otherwise vulnerable products allowing unauthorized access to sensitive networks became more frequent. This year, Congress is considering additional measures to promote cyber supply chain security (H.R. 5515 and S. 3085). Among other recent developments, DHS says they are investigating cyber supply chain security further; the Federal Communications Commission is considering prohibiting foreign telecommunications equipment for domestic use; and the U.S.-China Economic and Security Review Commission has issued a report highlighting supply chain concerns. While interest in cyber supply chain security has increased recently, there have been other periods of intense scrutiny on supply chain issues. In 2012, for example, the White House issued a report on global supply chain security; the House Permanent Select Committee on Intelligence (HPSCI) released an unclassified report on threats from Chinese multinational companies Huawei and ZTE; ZTE was exposed selling phones in the United States with backdoor access; the Director of National Intelligence (DNI) cited supply chain security as a major threat in the Worldwide Threat Assessment; and the Government Accountability Office (GAO) studied the issue. This InFocus reviews cyber supply chain risks, discusses ways in which they are currently managed, and provides issues that Congress may consider. Cyber Supply Chain Risks One way to view risks to cyber supply chain security is through the threat actors, their motivations, and ways in which they may compromise technology. DNI identified Russia, China, Iran, and North Korea as cyber threat nations. However, in their report on Department of State telecommunications, GAO highlights that technology is manufactured worldwide and vulnerabilities may be inserted by other actors. Some of those actors may include foreign intelligence services, malicious insiders, or criminals. These actors may be motivated to steal intellectual property, tamper with products, insert counterfeit goods, gain unauthorized access, sell extraneous access, or manipulate the operation of technology. They may accomplish their goals through inserting malicious code in software, manipulating hardware, or a combination of the two. Cyber supply chain risks do not solely result from malicious human interference. The National Institute of Standards and Technology (NIST) finds that natural disasters may impede delivery of critical network components; poor quality assurance and engineering practices from vendors may provide deficient products; or an entity's own business practices may result in seeking, buying, and managing sub-par goods. These threats may result in data loss, modification, or exfiltration; system failures; or unavailable products. Managing Risks NIST defines cyber supply chain risk management (C- SCRM) as the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of [IT] product and service supply chains. This definition distinguishes C-SCRM as an ongoing activity, rather than a single task, and accounts for the procurement and maintenance of hardware and software. NIST Special Publication 800-161 provides guidance to federal agencies for how they may go about implementing risk management practices. They recommend that C-SCRM should align with an organization's existing risk management framework. Activities for risk management include cataloguing current systems and business practices, surveying systems for vulnerabilities, and developing processes to mitigate those vulnerabilities on an ongoing basis. Just because a risk could possibly manifest, does not mean that it always exists, nor is it managed as if it perpetually exists. Instead, managers accept that risk is not binary but exists on a spectrum. This perspective pushes managers to consider how they are most at risk and prioritize mitigation strategies. This defense-in-depth strategy accepts that complete security is not guaranteed, but can lead system administrators to deploy tools effectively so that they can detect unwanted activity and stop damages from compounding. Attackers may not know which defensive strategies are deployed on the systems where their compromised IT is installed. This uncertainty creates the possibility that purposefully embedding vulnerabilities in technology will wwwcrs.gov i 7-5700 0

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most