Acquisition
The risks of supply chain threat sharing
While many national security initiatives can lean on non-public or classified intelligence to guide their efforts, for the most part that hasn’t been the case when it comes to threats to the technology supply chain. In fact, suppliers can often have difficulty mapping out their own chains once it gets down to the third or fourth tier of subcontractors.
There have been efforts to correct that problem, with Congress passing a provision in the 2020 National Defense Authorization Act to establish a supply chain and counterintelligence task force at the Office of the Director of National Intelligence to improve intelligence for U.S. government acquisition. The Department of Homeland Security has also stood up an Information and Communications Technology Supply Chain Risk Management Task Force, including a working group dedicated to bidirectional information sharing issues.
Despite these efforts, information about specific, credible threats to the supply chain can be hard to come by.
“Having spent the last 10 years in the intelligence community, I think a critical finding for me was that, despite public musings to the contrary, there is not some giant pile of supply chain intelligence sitting behind some sort of classification wall that is available to share,” said Cheri Caddy, a senior cybersecurity advisor to the Department of Energy, a former National Security Agency official and one of the chairs of the information sharing working group during an Aug. 19 event hosted by the Intelligence and National Security Alliance.
In fact, some of the most relevant information has tended to come from either open source data or through shoe-leather reporting – reaching out to companies for interviews, going behind paywalls for contract or supplier data and getting to the “ground truth of dealing with specific vendors and understanding when things are going wrong.”
Kathryn Condello, senior director for national security emergency preparedness at CenturyLink and co-chair of the same working group, said often the most valuable information companies are looking for is also the hardest to safely share: what she calls “the naming of names problem.”
Getting a heads up that a specific supplier or individual is untrustworthy or suspicious can help vendors — particularly those who do business with the government — keep their secondary and tertiary supply chains clean. That kind of insight can also be legally perilous for companies to share unless they have substantial evidence to back up the claim.
“How do you share the fact that you just canceled this contract with this vendor who was wonky because it just didn’t look right?” asked Condello. “Well it turns out there’s a lot of law associated with not sharing kind of information.”
Liability concerns
Dismas Locaria, a lawyer at Venable with a background in supply chain and information sharing issues, told FCW that companies often have suspicions about certain suppliers but generally lack smoking gun evidence of intentional wrongdoing. That uncertainty can leave them in danger of being sued for defamation or interference with a contract if they pass along information that turns out to be inaccurate. They could even find that same government scrutiny turned back around onto their operations.
“There are all sorts of things where, if you’re wrong, you’re potentially liable,” said Locaria.
When it comes to sharing information on supply chain threats, he advises clients to stick to documentation wherever possible and avoid “the slippery slope” of adding any analysis or opinion on top.
“Are we talking names [and] is our name on the record? Are we giving names? How specific are we getting?” said Locaria, running through a list of questions the company has to consider. “If we’re talking names, then my view is let’s just provide documents…turn it over to the government and let them make their own inferences about it. Let the document speak for itself and let the government connect the dots.”
An interim report issued by the DHS task force last year laid out a number of data points that could be useful in snuffing out supply chain threats, such as information around counterfeit parts, malicious code inserted into software and tips about insider threats or physical attacks on participants or products in the chain. It also found that intelligence around this area was “unique” and that “actionable information often requires a level of specificity which may create sensitivities about how it is shared” that create “a range of legal considerations that ICT stakeholders must navigate.”
“Critically, [we] concluded that effective information sharing may necessitate the exchange of sensitive vendor or supplier data, including the names of specific entities,” the report states.
The working group has subsequently reached out to law firms, including Wilkinson, Barker and Knauer, to develop a cheat sheet designed to guide vendors or employees who don’t have legal backgrounds around what they can relay to the government or industry without running afoul of liability laws. A CISA spokesperson said an updated report detailing the task force’s year two findings is currently scheduled for completion this fall.
Edna Conway, vice president and general manager of global security and risk and compliance for Azure at Microsoft, sits on the executive committee of the task force and co-leads the working group addressing information sharing. She told FCW that developing good policy around legally sharing supply chain risk information “continues to be a fundamental issue.”
