In our increasingly digital world, technological innovation not only presents new opportunities, but also raises new risks and challenges that must be addressed by industry, buyers, users, and policymakers. The need for collaboration and cooperation is critical to protecting our global, digital economy. Fortunately, with a distinct focus on partnership, several important initiatives are being driven by the public and private sectors in an effort to meet the challenge of protecting the cyber supply chain.
This week, the United States Department of Homeland Security (DHS) launched its Information and Communications Technology (ICT) Supply Chain Risk Management Task Force (the “Task Force”). Task Force membership includes representatives from a roster of companies across the IT and Communications sectors, as well as key government stakeholders. I have the honor of serving as a member of the executive committee of the Task Force.
The object of the Task Force is to develop consensus recommendations to identify and manage risk to the global ICT supply chain. This public-private partnership brings civilian and defense agencies together to develop meaningful recommendations to effectively address risk across the cyber supply chain.
The Under Secretary for the DHS National Protection and Programs Directorate (NPPD),Christopher Krebs, recently clarified the mission of the Task Force. In an October 30, 2018 DHS press release he stated, “The nature of supply chain threats, because they can encompass a product’s entire life cycle…make them particularly challenging to defend against. Government and industry have a shared interest and thus a shared responsibility in identifying and mitigating these threats in partnership. The Task Force will seek holistic solutions across a broad set of stakeholders to develop near-and long-term strategies to address supply chain risks.”
I, for one, am eager to address this challenge with a comprehensive approach; one that embraces resiliency, continuity of supply, and availability, in addition to security and integrity.
It is my hope that the Task Force will tackle the full spectrum of the cyber supply chain—the people, the equipment, the processes—that forms the basis of the operations of the digital society in which we live and work today.
Approaching supply chain risk comprehensively is key to ensuring successful risk management. Fundamental steps to that approach include:
- Identify areas of potential impact, for example:
- Risks to continuity of supply of third party provided software, services, components and raw materials
- Natural disasters
- Geopolitical and economic disruption
- Workforce instability
- Financial volatility
- Weak infrastructure security
- Insufficient end-user risk awareness
- Prioritize by both likelihood of occurrence and severity of impact
- Establish criteria for addressing impacts
- Deploy a methodology for routine monitoring and adjustment to mitigate risk impacts
The eyes of the world have opened to the critical importance of our supply chains. Our digital world could cease to function as we know it today without a safe, secure and adaptable cyber supply chain.
This is just the beginning of this timely discussion. In future blogs I will discuss how industry can and IS coming together to meaningfully establish and maintain Trust in our digital global economy.