In an effort to better manage threats targeting the U.S. telecommunications, energy and financial industries, the U.S. National Counterintelligence and Security Center is about to begin providing classified supply chain threat reports to these critical organizations.
Threats to the acquisition supply chain have been discussed for years, and they have their own discipline, known as supply chain risk management. Wikipedia’s definition of supply chain risk management is “the implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity.”
According to a press release, the NCSC will help federal agencies and industry through several measures, including:
Providing threat briefings to government partners and eventually to industry;
Developing a SCRM blueprint for executive branch agencies, which can also apply to any organization that acquires goods and services; and
Developing a SCRM publicly available on-line training course that will introduce government partners and interested industry to SCRM and the elementary efforts they can use to protect their acquisition processes against supply chain subversion.
“Our adversaries are trying to figure out what U.S. industry — whether telecom or defense — will be doing three years from now,” said Bill Evanina, director of NCSC in the release. “That is why NCSC and the ODNI are trying to find creative ways to help U.S. industry protect its supply chain and thereby help protect America.”
The Office of the Director of National Intelligence also released a brief video that explains how supply chains come under attack and why it’s important.
Supply chain security can be scary business. When procuring manufactured networking equipment, for instance, it’s relatively straightforward for nation states to intercept shipments and plant malware or snooping devices in hardware that becomes a trusted part of an environment after installed. According to the NCSC, the threats also extend to hackers and criminals.
In this Bloomberg story, U.S. Intelligence to Help Companies Avert Supply-Chain Hacking, Evanina explains how, by taking a number of straightforward precautions, enterprises can better manage supply chain risks. These include doing simple online research into businesses they plan to buy from, working with the FBI and Homeland Security Department, or adding security requirements to contracts, Evanina said to the publication.
“Know where your stuff is coming from,” Evanina told Bloomberg. “You might have the best software and cybersecurity programs, but if you don’t have the same due diligence and understanding of the threat for the people who buy the systems that run your buildings and facilities, you’re running the risk of potential compromise.”