The views expressed by contributors are their own and not the view of The Hill

Washington to finally focus on threat to supply-chain risk management

Policymakers in Washington have recently begun to consider measures that take aim at supply-chain risk management (SCRM). The disconcerting reality, however, is that they are already behind the curve, as the status quo for SCRM is not keeping pace with today’s dynamic threat landscape.

Washington needs to show urgency in addressing cybersecurity concerns because they have largely been neglected for so long. Reluctance to commit adequate resources to security has created the vulnerable environment we now inhabit, and continuous and proactive approaches to security, versus periodic and reactive, can no longer be overlooked.

{mosads}Rhetoric must also finally translate into discernible change. The Department of Homeland Security (DHS), Department of Defense (DoD), the Intelligence Community (IC), and other agencies have coordinated a program to collectively address SCRM, but the program only has two full-time employees. Acknowledging a clear issue that should have been addressed long ago is vital, but even more so is tangible action such as reasonable funding and adequate staffing. The Trump administration’s calls to give every civilian agency the same authorities as the Department of Defense, as well as for the establishment of a Federal IT Security Council and Critical IT Supply Chain Risk Evaluation Board, is a welcomed and much needed approach for increasing resources for cybersecurity.

With China, Iran, and Russia developing increasingly sophisticated technologies focused on hacking our critical infrastructure, policymakers must act with urgency to combat such threats. Opting to continue down a decentralized path would be reckless. Centralizing risk assessment, as advised by the DHS and DoD, is one way in which government agencies can finally transition from outdated, splintered modes of protection to a state of the art, coordinated approach to SCRM.

Specific actions, in addition to centralizing risk assessment, should be taken. Risk assessments should be conducted early and often to proactively detect and mitigate threats. Annual risk assessments, commonplace for many organizations, are insufficient at protecting critical infrastructure: they do not ensure continuous visibility into security postures and leave gaping holes of opportunity. 

Rep. Bennie Thompson (D-Miss.), the ranking member of the House Homeland Security Committee, has called for a national strategy to bring national security and civilian agencies alike up to necessary standards. Thompson is quite scathing in his assessment that, “the Trump Administration lacks a coherent, government-wide strategy to adequately address the challenges we continue to face from Russia and China.” Currently the proposal does lack nuance, and those in the cybersecurity community have grown accustomed to being frustrated with government response that can be slow or misguided, but there is little use in doubling down on cynicism when good-faith efforts and statements are in their preliminary stages.

Instead, it is imperative to acknowledge that the Federal Information Technology Supply Chain Risk Management Improvement Act of 2018, albeit modest, is a step in the right direction in addressing supply-chain risk management. There are signs that lawmakers and agency officials are beginning to realize that annual risk assessments are inadequate—especially when continuous and proactive approaches to security are now available and align far better with the threat environment.

What else should public and private sector leaders consider when crafting cybersecurity strategies? Organizations of all types support our critical infrastructure and are embracing digital and cloud transformation to advance business goals. Speed of innovation has become paramount, especially around developing applications that drive and advance the business. Security has been an afterthought because it is viewed as a drag on speed. But instead of focusing on just speed, it is agility (speed + purpose) and velocity (speed + quality control) that combine to produce optimal, secure outcomes. When merely application development speed is the only consideration in choosing development methodologies, purpose and quality control are neglected.

A development framework that enables agility and velocity while embedding security continuously and holistically helps organizations understand and manage security risk. And when considering the specificities of a cybersecurity strategy there are key considerations that decision-makers should consider to maximize outcomes: the understanding that we cannot tacitly endorse the cybersecurity status quo any longer. Today’s threat landscape is dynamic and the stakes are high: a continuous and proactive approach to security that promotes agility and velocity is the only way forward.

Ernesto DiGiambattista is CEO and Founder of CYBRIC and Board Member of the Massachusetts Technology Collaborative.