While historically organizations have focused on physical security, resiliency, and logistics to manage their supply chain risks, with the globalization of the economy and the emergence of cybersecurity risk, a more comprehensive approach is required. Cyber risks attack, disrupt, destroy, and compromise the integrity of components across manufacturing and distribution supply chains, creating risks that bridge agencies, departments, and organizations.
Cyber risk is especially acute in critical infrastructure sectors that utilize globally interconnected business environments to produce information technology (IT) components and systems. IT hardware, software, and service providers are increasingly outsourcing manufacturing and production to regions of the world that actively target U.S. technologies, exposing not only their supply chains, but the supply chains of their customers.
Interos recently published a white paper presenting some of the key findings identified from risk assessments of over 60 vendors for a Federal Civilian Agency. Interos found that 92% of all assessed vendors were connected to at least one country outside the contiguous US, reflecting the pervasive nature of our Nation’s globally interconnected business environment and highlighting the need for increased oversight, control, and transparency.
This data suggests that a significant portion of the U.S. Federal Government’s vendors assessed extensively manufacture goods abroad, specifically in sensitive countries in Asia. This trend is especially alarming considering East Asia and the Pacific are responsible for over half of all reported 2013 cyber collection attempts as reported by the Defense Security Service (DSS).
Additionally, the assessments linked roughly a quarter of all assessed vendors to insider threat indicators, cyber vulnerabilities, and politically exposed persons (PEPs). These trends characterize a relatively risky IT environment, where vendors are more focused on improving efficiency and reducing operating costs than they are on managing security and safeguarding National Security Systems (NSS).
Examples of risky vendors Interos identified and helped the U.S. Federal Government avoid include:
- An IT Services vendor supplying a Federal Civilian Agency that had employed a Chinese national who was indicted on five felony charges for allegedly stealing information about the Department of Defense’s jet fighter program.
- An Information Communications Technology (ICT) vendor supplying the DoD that utilizes non-authorized manufacturers and resellers with a robust history of selling counterfeit cellular equipment.
- A Physical Security Management vendor supplying a Federal Civilian Agency was identified as having a Tier-1 supply chain comprised entirely (100%) of companies in Hong Kong, Taiwan, and China.
By not purchasing products from these vendors, the U.S. Federal Government avoided millions of dollars in cybersecurity mitigations and countermeasures that would have been required to offset the discovered cyber vulnerability. Additionally, and more importantly, the U.S. Federal Government avoided the potential compromise of its NSS, critical infrastructure, as well as its employees’ personally identifiable information (PII).
Click here to download the full white paper.