Improvements Needed in Global ICT Supply Chain Cybersecurity, Industry Experts Say
Public-private partnerships are important to improving cybersecurity within the global information and communications technology (ICT) supply chain, said Joe Jarzombek, director-software assurance in the Department of Homeland Security’s (DHS) Office of Cybersecurity & Communications. Such partnerships, including DHS’s Software Assurance program, are critical when “you realize that those running our critical infrastructure have the same needs we have,” he said Thursday at a Brookings Institution event. The federal government has a responsibility to help critical infrastructure operators and owners address ICT vulnerabilities, but there needs to be “public will” to make it happen, Jarzombek said. DHS is working with the National Institute of Standards and Technology to foster an industry-led effort to develop the Cybersecurity Framework, a voluntary set of cybersecurity standards and best practices to protect critical infrastructure, as laid out in President Barack Obama’s February cybersecurity order (CD Feb 14 p1).
The Cybersecurity Framework could result in better recognition that systematic, risk-based approaches are needed to address supply chain vulnerabilities, said Andy Purdy, Huawei Technologies USA chief security officer and former National Cyber Security Division director. The ICT sector needs to have a common set of standards and best practices that will “appropriately mitigate risk” within and across different sectors, particularly since there is currently a relative lack of consistency on such standards, he said. Those changes could be built into current federal regulatory and due diligence requirements, including the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act, Purdy said. The framework should also recommend companies enlist third-party evaluations of cybersecurity compliance, which would “raise the bar for everyone” by making compliance measures visible to others in the supply chain, he said
A comprehensive approach would best help address ICT supply chain risks, said Edna Conway, Cisco Systems chief security strategist-Global Value Chain. A comprehensive approach would examine which security technologies and physical security practices are necessary in each node of the supply chain, which she said would help make clear what the “floor” requirements for driving security are. Public-private partnerships will need to be a part of the conversation as well, since “we're all using the same supply chains,” she said. Public-private partnerships become especially important because of interconnection within the supply chain, said Pamela Passman, president of the Center for Responsible Enterprise and Trade. “If we can get traction in one area [of the supply chain], we can have a big impact,” she said.
Development of common standards and practices within the supply chain will not help without improvements to the “extremely fragmented” communication between security executives within corporations in the supply chain, said Sandor Boyson, co-director of the Supply Chain Management Center at the University of Maryland, College Park. The SEC’s October 2011 cyber risk disclosure requirements have resulted in companies disclosing 2,000 separate “material” cyber risks that could affect their business operations, Boyson said. An SEC analysis of those disclosure reports and a separate University of Maryland survey of IT vendors to the federal government found that fragmented cooperation between a chief information officer and the chief risk officer or chief supply chain officer within a corporation, Boyson said. Fragmented cooperation has been an issue for decades, but got renewed attention following the IT “explosion” in the late 1990s and early 2000s, he said. The Supply Chain Management Center is focusing on developing a more common-sense style for managing cyber risks within the supply chain, he said. The center’s consultations have included input from industry groups and insurance companies.
At least 50 insurance providers provide cybersecurity coverage, but their level of coverage is decreasing as a result of concerns about risk within the supply chain, Boyson said. Marketplace factors like decreasing insurance coverage could also force companies to improve their cybersecurity practices, he said. If cybersecurity insurance becomes a “booming business,” it will show companies are becoming more willing to quantify their cybersecurity risks - something they aren’t doing today, Passman said. While insurance should be a part of the cybersecurity portfolio, a robust risk maturity model is also necessary, Conway said.