In a recently published document addressing supply chain risk, the Office of the Director of National Intelligence warns against “foreign attempts to compromise the integrity, trustworthiness, and authenticity of products and services purchased and integrated into the operations of the U.S. Government, the Defense Industrial Base, and the private sector.”
Attacks on the supply chain represent “a complex and growing threat to strategically important U.S. economic sectors and critical infrastructure,” the agency notes. Foreign adversaries are attacking key supply chains at multiple points: From concept to design, manufacture, integration, deployment and maintenance.
GovCon leaders say the government does well to take the risks seriously, and they point to ways in which the contracting community can work hand-in-glove with federal officials to mitigate the threat.
“ODNI is definitely right to be concerned,” said Justin Shirk, vice president of asymmetric analytics at Novetta. “An area of real emerging risk on which we focus is in the provenance of software, both open-source or commercial. This is unfortunately inherently difficult and time-consuming to investigate.”
He pointed to Novetta’s Dataviser tool as a means to help address the problem.
At Raytheon, Vice President of Cybersecurity, Training and Services John DeSimone likewise sees an intersection between supply chain and cyberthreats.
“So much of what is supplied to the government these days is software, or software-enabled hardware, so cyber hardening of the software supplied is key,” he said.
Introducing more technology into the supply chain “also introduces new entry points and potential vulnerabilities that can be exploited,” said Modzy’s Head of Operations Josh Elliot.
“Failing to take a proactive posture with your IT systems . . . opens supply chains to cyberthreats, unique challenges related to export control and validation and verification for third party algorithms and software,” he said.
The GovCon role
Contractors can help, in part by adjusting their business practices.
“From the business side, their [Supply Chain Risk Management] plans should implement a rigorous process to vet the beneficial ownership of companies with whom they do business, beyond simply checking their website,” Shirk said. “Using third party data providers like Modzy’s BVD and D&B can enable that process.”
DeSimone points to a number of additional avenues open to industry.
One is to employ the latest National Institute of Standards and Technology standards across technologies the private sector supplies as the industrial base. Another is moving to cutting-edge technologies that take a zero trust approach, which takes cyber defense a step further by granting permissions by transaction with real-time threat information rather than granting default access to large groups.
“Finally, it’s so simple, but knowing who our suppliers are and who they are using is so important,” DeSimone said. “Leverage tools such as Exostar’s Supplier Risk Management built specifically for the federal supplier base.”
With federal uses of artificial intelligence rapidly on the rise, Elliot says this is an area where GovCons need to pay special attention.
“You need to understand and trust the capabilities, tools and algorithms you’re bringing into your mission or business,” he said. “That includes everything from the initial identification and scouting of technologies or companies offering solutions to the continued monitoring and compliance checks once implemented.”
As part of its strategy to respond to this threat, ODNI is looking for support from the GovCon community. The strategy document calls for closer ties between government and the private sector in order to “share supply chain threat information and mitigation measures with our partners, especially in U.S. critical infrastructure sectors.”
Shirk heartily endorses this approach.
“This problem is most effectively addressed as a partnership,” he said. “Wherever feasible from a security perspective, the government should try to broadly share supply chain threat data with their vendors so those vendors can merge their contract mandated, traditional analysis and attestations with intelligence.”
Any opportunity for industry to have a voice in ODNI’s efforts to fight supply chain threats will lead to improvements, DeSimone said.
“I welcome any chance to participate in events where we can partner with the government for thought leadership in mitigating these risks,” he said. “Co-development of solutions and approaching cyber as team . . . makes a big difference: Showing and sharing ownership instead of assuming someone else is worrying about cyberthreats to the supply chain matters.”
Partnerships can be especially critical in emerging areas such as AI, Elliot added. Many organizations are still learning about this technology, and establishing trust at the onset is key for this emerging technology to really take off, he said.
“Moreover, as procurement organizations evolve their contract requirements, there will be an expectation that software vendors are held accountable for the statements they make about the performance quality, reliability and security of their software products,” Elliot added.
ODNI is looking for a more collaborative approach to emerging threats. These and other GovCon leaders are rowing in the same direction. By working in close coordination, they say, government and the contracting community will be best positioned to address the critical risks to the nation’s supply chain.