There is an outright conflict between cybersecurity and supply chain risk management (SCRM), and simply adding those together can lead to an increase in cyberattacks, a new report finds.
Researchers found that cybersecurity and supply chain risk management are in many instances at odds with each other. There are trade-offs, and understanding what those trade-offs look like will allow the Defense Department to better secure its defense industrial products supply, according to the authors of the new RAND Corp. report.
Against the backdrop of high-profile cyber attacks on the supply chains, the Air Force Research Laboratory asked the federally-funded think tank to help them understand how cyber risks compare to other risks in the defense-industrial supply chains and provide recommendations on how to have a comprehensive approach when addressing their needs together.
“In conventional SCRM…you would think, ‘Alright, I’m going to make my supply chain less risky by adding more potential suppliers, bringing more businesses and expanding my rolodex,’” Victoria Greenfield, a senior economist at RAND, told Federal News Network. “What does that do from a cyber perspective? You have potentially increased the points of attack, you’ve opened up new backdoors, because you’ve brought more members into the community who will have vulnerabilities and potentially, importantly, potentially shared vulnerabilities. And so you may, from a cyber perspective, be making things riskier.”
“There might be a lack of understanding of the extent of the risk of the cyber as compared to the more conventional risks. This is not to say that the SCRM community doesn’t think about these things. I want to be very clear about that. They absolutely do. But when we look at policy, we often see policy written things, either focusing on the SCRM or focusing on the cyber, but isn’t necessarily thinking about it as holistically as it might need to.”
Additionally, researchers kept finding evidence that the private sector may not invest in cybersecurity sufficiently to meet national security needs. Given the differences in incentive structure, how attackers and defenders relate to each other in a business environment and the extent to which cyber insurance can fill some of the national security needs, researchers say the private sector may not be able to meet the Defense Department’s needs for supply chain functionality.
The new report came out around the same time the Defense Department released its long-awaited proposed regulations for the Cybersecurity Maturity Model Certification (CMMC). The CMMC program is designed to help the Defense Department assess whether contractors and subcontractors in its industrial base meet cybersecurity requirements when sharing sensitive unclassified information on their networks.
“There were a lot of different issues that kind of pushed in this general direction. But the idea of underinvestment seemed to come up over and over again, from each of the different economic and non-economic approaches that we took to thinking about this, that it seemed potentially a problem,” Greenfield said.
“And the lack of coordination among businesses could also lead to some challenges if they had shared vulnerabilities. So that is kind of an interesting opening in relation to the CMMC, which we did not go into beyond footnotes in our report, because it was barely existing when we started. But that is something that, in some ways, could externally lead to a result that looks a little bit more like a coordinated result than just leaving industry alone,” she continued.
What are the consequences?
Since one of the most important findings of the research is the need for a comprehensive approach in how cyber and supply chain risk management engage with each other, researchers want the defense industrial base to be less focused on trying to stop things from happening, but rather think about the consequences of cyber attacks.
Once priorities are established, plans and strategies can be developed to address cyber and supply chain risk concerns in a more holistic way.
“I think that that’s a slightly different way to look at it. Oftentimes, we get bogged down in trying to stop things from happening, and not necessarily thinking about what the highest priority consequence is and how do we either stop it from happening if we can, or if we can’t mitigate the fallout,” Greenfield said.
“So, taking that more comprehensive approach, thinking about consequences and thinking about consequences, not just for information, but its consequences for supply chain functionality … Can you get it when you need it? Is this the thing you wanted in the first place? And is it still something you can afford to have? And so thinking about the functionality of your supply chain, whether or not you’re able to get what you need when you need it. Not just about the security of the information itself,” she added.