An Intern’s View on Cybersecurity and Supply Chain Management
My supply chain management professor, who allowed only handwritten notetaking and allegedly helped invent a favorite 1990s childhood snack known as Dunkaroos, moved his chair out from behind the desk, and sat comfortably so he could see the eager students waiting for him to speak.
It was the first day of my introductory supply chain management course, and he opened it with a discussion about war. Anticipating the influx of soldiers for Operation Desert Storm (Gulf War), the U.S. Army sent logisticians and engineers to Iraq to prepare for troop movement and build makeshift bases to support them as they advanced. The team also monitored the supply, movement, and maintenance of all the ammunition, fuel, medicine, etc., the soldiers would need as the war progressed. This logistic technique known as supply chain management—following products from raw materials until end-use—had been used by the military for decades, but first appeared in the early 1990s as a concrete strategy.
I learned a lot in that class. Above all, I learned that the concept of managing each transfer in a supply chain can be applied to the outputs of any company or organization. That basic understanding of product movement in planning, procurement, manufacturing, and delivery helped me transition into my internship at the National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE). I was initially intimidated by the name and intellectual weight of the organization. These innovators—my now co-workers—were spearheading cybersecurity solutions for wireless infusion pumps, secure inter-domain routing, and identity and access management. And they even shed light on supply chain management, explaining to me that there is a possibility of risk at each transfer point and at each step in the process, not just with physical materials, but also with the critical intangibles such as data, software, and intellectual property. Here, I found an overlap that wasn’t deeply addressed in my supply chain course. I wanted to combine my undergraduate background and experience with the wealth of knowledge around me and contribute back to the organization.
Supply chains are designed for efficiency and cost-savings. Organizations often leverage global supply chains and outsourcing for optimal performance, expanding the amount of transfer points, and consequently, increasing security risks.
Take a laptop, for example. Thomas L. Friedman, in his book “The World is Flat,” examines the global supply chain of his laptop, from the microprocessor to the cooling fan to the removable memory stick. After research, Friedman concludes that “[t]he total supply chain for [his] computer, including suppliers of suppliers, involved about four hundred companies” from around the world. Four hundred companies for one computer. A looming question for companies with such a large output is, since components are made of sub-components from sub-tier suppliers in a myriad of locations, how do you mitigate risk?
As companies see the product life cycle complexity, they realize that moderating risk starts with understanding what already exists in their supply chain. I learned that unsecure practices, whether with digital or physical assets, allow opportunities for tampering, theft of vendor credentials, or insertion of malicious software or hardware to infiltrate an enterprise network. Because of this, companies and organizations can suffer related hardships like unrealized sales, a decrease in stock prices, loss of intellectual property, and damaged brand reputation. The task lies in understanding the scope and depth of the supply chain and then identifying methods to mitigate the potential risk.
Before this internship, my first business instinct was to identify where improvements could be made to simultaneously maximize profit and operational optimization. The strategies in which I have familiarity unknowingly limited my visibility, narrowing my thinking solely to supply chain advancement. What my experience at the NCCoE has taught me was to think more broadly and more technically about the risks around supply chain management. Cybersecurity, like transportation, operations, and compliance, needs to be a critical part of managing the supply chain. By opening myself up to new ideas in an already familiar topic, I’ve come to see cyber awareness as the core of security and the assurance of quality in supply chain management.
NIST Special Publication 800-161 explores supply chain risk management (SCRM) for federal information systems and organizations. It defines four points of intersection between SCRM and information and communications technology (ICT): security, integrity, resilience, and quality. The publication aims to identify, assess, and mitigate the risks associated with the global and distributed nature of ICT product and service supply chains by establishing guidelines and controls for defined vendors. Offering an outline to continually frame, assess, respond to, and monitor risk, the paper acts as a baseline for SCRM and protection and presents purposeful ideas for organizations to consider.
Eliminating risk is impossible, but with increased awareness of potential vulnerabilities and malicious acts, organizations can work to mitigate, monitor, and prepare for those contingencies. These frameworks and methodologies are currently being developed and worked through in various industries and within the federal government and will hopefully lead to a deeper understanding of cybersecurity risk throughout the supply chain. As we collaborate and innovate, the challenge, and therefore, the opportunity, is in weaving best cybersecurity practices into the design of the supply chain.
After this summer, I am excited to see what happens next.