Earlier this week, in keeping with the Obama administration's renewed commitment to transparency, White House Cybersecurity Coordinator Howard Schmidt directed the release of a summary description of the largely classified Comprehensive National Cybersecurity Initiative.
(This initiative, officially known as the National Security Presidential Directive 54 and Homeland Security Presidential Directive 23, was originally established by the Bush administration back in January 2008.)
The five-page declassified document outlines twelve major proposals designed to help secure the United States in cyberspace, and it's significant that among this list of a dozen priorities there's recognition of the growing risks associated with today's complex global supply chains, particularly those in the commercial information and communications technology marketplace.
From the summary description:
Initiative #11. Develop a multi-pronged approach for global supply chain risk management. Globalization of the commercial information and communications technology marketplace provides increased opportunities for those intent on harming the United States by penetrating the supply chain to gain unauthorized access to data, alter data, or interrupt communications. Risks stemming from both the domestic and globalized supply chain must be managed in a strategic and comprehensive way over the entire lifecycle of products, systems and services. Managing this risk will require a greater awareness of the threats, vulnerabilities, and consequences associated with acquisition decisions; the development and employment of tools and resources to technically and operationally mitigate risk across the lifecycle of products (from design through retirement); the development of new acquisition policies and practices that reflect the complex global marketplace; and partnership with industry to develop and adopt supply chain and risk management standards and best practices. This initiative will enhance Federal Government skills, policies, and processes to provide departments and agencies with a robust toolset to better manage and mitigate supply chain risk at levels commensurate with the criticality of, and risks to, their systems and networks.
Cybersecurity czar Schmidt said he hopes declassifying this information will answer some privacy concerns and lead to stronger partnerships with the private sector in fighting the growing threat of cyber attacks. While most analysts feel the summary document falls short on details and therefore does not adequately address privacy concerns, I do think Schmidt is right about using this declassification as a means to build awareness and strengthen partnerships regarding the security of the systems and networks we all depend on these days.
After all, as Michael Jacobs, who served as information assurance director at the National Security Agency until his retirement in 2002, points out, many products entering the supply chain even the ones used to protect computer networks and systems now require increased scrutiny because their origins are masked or otherwise obfuscated by complicated life cycles and acquisitions.
Put another way, what Jacobs is saying is that it's time to ask yourself this critical question: Do you know who wrote the code you're using? Now, more than ever before, companies need to adopt supply chain risk management policies to ensure that they better understand the origins of the products they're relying on, the motivations of the products' originators and the threats, vulnerabilities and consequences intrinsic to today's global cyber-marketplace.