By Ryan White
(Re-published from Crossroads: Cybersecurity Law & Policy | Feb. 28, 2018) A few weeks ago, an article from Nextgov, a website dedicated to “how technology and innovation are transforming the way government agencies serve citizens and perform vital functions,” described recent efforts by DHS to address cyber security risks as they relate to supply chains. The article quotes Jeanette Manfra, the head of DHS’s Office of Cybersecurity and Communications, who explained that “[t]he program’s major goals are to identify the greatest supply chain cyber threats, figure out if there are technical ways to mitigate those threats and, if not, figure out other solutions.” But other than barring companies with weak supply chain security from government contracts, no other solutions were mentioned. Below I look at what a cyber security supply chain policy might encompass.
One of the more prominent supply chain incidents in recent memory involved Hewlett Packard Enterprise, who, in an effort to expand its business, offered a Russian defense agency an inside look at a program called ArcSight.[i] The problem, however, was that ArcSight is a program that is heavily relied on by the Pentagon.[ii] The program is a “cybersecurity nerve center” that sends alerts when it detects a potential attack on a network.[iii] The program is also used frequently by private sector companies.[iv] By providing the program code to Russia, HP not only created a vulnerability for the United States but exposed that vulnerability to the most notorious cyber threat to the U.S. in recent years.
Another example of the cyber supply chain problem occurred several years ago with the United States Air Force. The Air Force had contracted with a vendor in an Asian country to produce hardware for one of the Air Force’s systems.[v] When the hardware arrived in the U.S. and was reviewed by the Air Force, however, they found that the chips contained an extra transistor. While the chip performed its intended function, the Air Force could not decipher what else the piece would do with the extra transistor. As a result, that batch of hardware was disposed of and never installed.
These two examples highlight the breadth and depth of the challenges regarding supply chains and cyber security. Supply chain security implicates hardware and software, public sector and private, and in these two instances, Asia and Russia. The Air Force was fortunate enough to find the altered specifications in its hardware, and reports so far suggest no harm has come from Russia’s ArcSight review.
Every point in every supply chain presents a weakness for that product’s cybersecurity. Every individual human that comes into contact with every component piece of hardware or software is a potential threat. The threats to the supply chain include:[vi]
- Installation of hardware or software containing malicious logic
- Installation of counterfeit hardware or software
- Failure or disruption in the production or distribution of critical products
- Reliance on a malicious or unqualified service provider for the performance of technical services
- Installation of hardware or software that contains unintentional vulnerabilities
All of these create potential weaknesses that can be exploited at a later point in time. Vulnerabilities could be exploited to steal sensitive information. Anything that program does could send a copy of that data to a third party. A vulnerability created by a nefarious actor somewhere in the supply chain could be a switch that lies dormant until activated when it would disable the system. Depending on what system that might be, there could be devastating consequences.
Two major concepts underlie the cyber supply chain security issues in the United States: (1) the United States technology sector is dependent on hardware components manufactured all over the world; and (2) the United States government is heavily dependent on commercial off-the-shelf cyber programs.
The United States, both its government and its private citizens, has become increasingly dependent on an intricate global economy. This is particularly true when it comes to technology, as the cost of manufacturing in the U.S. has led to increases in outsourcing. For example, the production of one iPhone involves component parts made in the U.S., South Korea, Taiwan, Japan, and Germany that are all ultimately assembled in China.[vii] The diagram below shows a similar analysis for a standard laptop, whose component parts may come from as many as twenty different countries …
[i] “Special Report: HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon,” Reuters (Oct. 2, 2017), http://www.reuters.com/article/us-usa-cyber-russia-hpe-specialreport/special-report-hp-enterprise-let-russia-scrutinize-cyberdefense-system-used-by-pentagon-idUSKCN1C716M.
[v] The facts of the Air Force narrative are from a series of conversations with Professor William C. Snyder, who had substantial knowledge of that situation’s details.
[vii] Cyber Supply Chain Security: A Crucial Step Toward U.S. Security, Prosperity, and Freedom in Cyberspace, Heritage Report, (Mar. 6, 2014) http://www.heritage.org/defense/report/cyber-supply-chain-security-crucial-step-toward-us-security-prosperity-and-freedom.
Ryan White is a third year law student at Syracuse University College of Law and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs.