On April 26, the Intelligence and National Security Alliance hosted “Managing Software Supply Chain Risk” in recognition of Supply Chain Integrity Month. The event was keynoted by Ms. Jeanette McMillian, Assistant Director for Supply and Chain Cyber at the National Counterintelligence and Security Center, and featured a panel of experts from CISA, Oracle Public Sector, DoD, and Google.
Ms. McMillian set the scene by describing the threat landscape impacting digital supply chains. Pointing to recent examples like the JBS meatpacking incident and Colonial Pipeline attack, Ms. McMillian noted that an intrusion at one critical node can have cascading effects across nearly every sector of the economy. These types of attacks, she said, are likely to proliferate even further as the U.S.’ near-peer adversaries, like Russia and China, turn to cyberspace to employ acts of provocation and coercion.
She also pointed to steps the intelligence community is taking to manage digital supply chain risks, including heightened information sharing before, during, and after a cyberattack. ODNI, for example, provides risk assessment frameworks to help companies understand the composition of their software supply chain, including their software vendors and the data they provide to third parties. Ms. McMillian said that such supply chain risk management programs and information sharing initiatives need C-suite buy-in, even if they don’t raise revenue. She noted, however, that organizations can mitigate risk and raise revenue in tandem.
Following Ms. McMillian's keynote, Exiger's Carrie Wibben took to the stage to introduce the morning's panelists: Dr. Allan Friedman, Senior Advisor & Strategist, CISA; Janice Haith, Strategic Client Executive, Oracle Public Sector; Mark Hakun, Principal Director of Cybersecurity, OCIO, DOD; Stephanie Kiel, Senior Manager, Government Affairs and Public Policy, Cloud Security, Google; and John Dillard, CEO, ThreatSwitch, who moderated.
In discussing software supply chain security, Dr. Friedman emphasized the importance of Software Bills of Security (SBOMs). He explained that software is assembled from several different open-source materials, which allows many opportunities for bad actors to infect government systems. SBOMs provide government and industry with the bare minimum level of transparency needed to ensure these open-source components are not vulnerable.
Mr. Hakun spoke about DOD’s efforts to put up guiderails around the implementation of the President’s Executive Order (EO 14028). Having these guiderails sometimes makes for a long process, but it also helps ensure that DOD understands the underlying infrastructure on which it is developing its cyber security strategy. There is also a lot of terminology in the EO, and thus standardizing those definitions across government is essential. Having the same terminology helps organizations decide what they need to focus on, tell Acquisition what to contract for, and that in turn allows DOD to know what it is buying and using.
From an industry perspective, Ms. Haith remarked on the importance of information sharing and the challenge of system integration. Information sharing, stressing that the public-private partnership is essential because there are cyber incidents that happen but do not make the news. It is vital that we learn about these minor incidents as well and prevent them from reoccurring. Regarding system integration, she was primarily concerned about the software for materials that go into our tactical equipment, ships, tanks, planes, etc. She also spoke about the importance of standardization but was concerned with how fast DOD can get its several organizations to implement the policies and procedures from the EO in the same way.
Ms. Kiel spoke primarily about the importance of the private-public partnership in software supply chain security and Google’s role. She said that Google is embracing the EO and sees it as a positive step for the country. She also said that she has been impressed with the level of inclusion for industry on the implementation of the EO. She went on to say that large companies like Google can partner with smaller companies who may lack the resources for full implementation. Finally, she foot stomped the ability of industry to solve problems and innovate quicker than government, emphasizing that this part of what makes the public-private partnership so important.