A: The short answer to this question is yes but not exclusively.
Our technology supply chains have become more global and the threat to our critical infrastructure has increased significantly over the past ten years. Given this, it is important to be aware and take action to secure these systems. The Federal Government must take this threat seriously and develop enterprise risk programs to identify and mitigate this threat. Adam Mazmanian addresses how one Federal Agency responded to this issue in his April 8, 2014 article entitled Justice Cancels 7 IT procurements over China Links. While agreeing with this perspective – that China may be a significant threat or provide tremendous risk to IT Procurements aligned with national security and critical infrastructure – China is not the only global threat. Risks reside throughout the cyber supply chain and a program that just targets China will fall short of reducing the overall risk to IT procurements.
So how can we reduce this risk?
It’s a top-down approach. Organizations can reduce risk throughout their IT Procurements by considering the following:
- Incorporate Supply Chain Risk as an element of the Departments overall enterprise risk strategy
- Develop a methodology to determine critical systems and critical components to these systems
- Conduct multi-factor risk assessments to determine threat capability, intent, and overall impact
- Require IT vendors to demonstrate security throughout the global ICT supply chain
- Validate vendor programs through product testing, on-site inspections, and compliance reviews
- Protect critical systems and components that have the most impact on National Security through appropriate controls, countermeasures or mitigations
- Monitor systems and networks to reduce the effect of intentional or unintentional vulnerabilities
- Have a defined incident response program to reduce damage to National Security or business continuity
Most of these considerations exist today as components or stand-alone elements of current programs. By viewing this problem from a business continuity and leadership perspective, organizations can reduce risk to their IT Procurements, improve the security of their critical systems and reduce the impact of an event should one occur.