COLUMN: Resilient Supply Chains Reduce Homeland Security Risk

Supply chain incidents have surged to the forefront of homeland security risks. Over the past several years, supply chain breaches, as a means for cyber attacks, have significantly increased and are now considered one of the primary methods adversaries use to access networks and cause harm. The SolarWinds breach, exposing sensitive network data to Russian-affiliated government actors, is a notable example that prompted substantial activity in the homeland security space to mitigate associated risks and strengthen defenses based on lessons learned. Cybersecurity analytic firms report that supply chain attacks are on the rise, ranking among the top attack vectors for cyber adversaries.

Cyber incidents have also impacted the functioning of supply chains and the movement of goods. In 2017, the exploitation of the NotPetya malware by the Russian government temporarily shut down U.S. ports and cost FedEx $300 million in lost revenue from shipping and logistics. Similarly, the 2021 cyber attack on the Colonial Pipeline resulted in fuel shortages on the East Coast for several days.

However, cyber attacks are not the sole supply chain risks to the U.S. homeland and global supply chains. Atrocities committed by the Russian government in Ukraine, coupled with economic warfare, have led to energy shortages across Europe and shortages of crucial supplies globally. The conflict in Gaza between Israel and Hamas is expected to have similar impacts on energy and technology markets. As noted by Gen. James Jones and former DHS Assistant Secretary Brian Harrell in The Messenger, “The war of today is all-encompassing. The front lines are not just on the battlefield but in our data and supply chains.”

Supply chain shocks are not solely caused by adversaries. Homeland security professionals nationwide have grappled with significant supply shortages stemming from economic factors, natural disasters, regulatory concerns, and health crises. This includes the impact of the COVID pandemic, shortages of essential goods like baby formula, and port closures due to flooding, wind damage, and labor strife.

These examples underscore why supply chain shocks remain prominent on my homeland security risk register. Consequently, supply chain security and resilience must be a mission priority.

The Biden Administration recognizes this, evident in its recent steps to strengthen American supply chains. With the establishment of the White House Council on Supply Chain Resilience, the Administration has taken a significant stride toward enhancing the resilience of critical supply chains in the face of global shocks.

In conjunction with the Cabinet-level Council, the Federal government has committed to bolstering its cross-governmental supply chain capabilities. This encompasses expanding supply chain data and analytical availability, investing in critical supply chains, and implementing planning and exercises to assess resilience. Additionally, fortified supply chain resilience structures will be established within the Department of Commerce, the Department of Homeland Security, and the Department of Transportation.

As a follow-up to the White House announcement, DHS Secretary Alejandro Mayorkas provided further details about DHS’ role in enhancing the mission. This includes the creation of a Supply Chain Resilience Center focusing on security at strategic seaports, partnering with owners of strategically valuable infrastructure, and hosting two tabletop exercises in 2024 on the resilience of cross-border supply chains.

These initiatives build on earlier work stemming from a February 2021 Executive Order. In that order, the President tasked agencies with making recommendations on strengthening supply chains and supply bases for goods and materials essential to critical infrastructure. These recommendations, made public in 2022, clearly influenced the actions taken by the White House this week.

The Administration’s actions reveal a strategy for strengthening America’s supply chains and a commitment by the Executive Branch, with crucial funding support and increased authorities from Congress, to invest in that strategy.

In my view, the pillars of the strategy include:

1. Enhanced real-time data, risk monitoring, and information sharing across the government and between the government and the private sector to anticipate supply shocks.
2. Efforts to address excessive supply chain interdependence between the U.S. and adversaries, using regulatory action and enforcement tools to reduce that risk.
3. A commitment to building alliances for coordinating supply availability and sharing information about supply chain vulnerabilities.
4. A willingness to use government tools, including the Defense Production Act and other Federal incentives, to stimulate markets for supplies and incentivize resilience.
5. A risk-based focus on the materials most critical to America’s economic competitiveness.
6. Increased scenario planning and exercises addressing supply chain incidents.

For the homeland security community, each of these pillars carries implications. Integrating supply chain threat and vulnerability information with other homeland security information is an increasing imperative, necessitating structural and process improvements. Ensuring that security and resilience considerations are part of acquisition decisions for critical goods and technologies should be standard business practice. Monitoring critical supplies based on a risk-based understanding of what matters to critical functions must be part of homeland security analysis and stress tested. Notably, achieving all of the above depends on public-private collaboration and a commitment to investing in risk mitigation.

Ultimately, like most homeland security issues, the Federal government plays a role in risk mitigation, but it depends on a whole-of-community effort. Smart policy, executive commitment, investments, and reducing barriers to information sharing help activate that effort. With the announcements this week, let’s hope that the White House has continued the bipartisan trend toward strengthening America’s supply chains, unquestionably enhancing critical infrastructure security, resilience, and our Nation’s economic and national security.

Bob Kolasky

Bob Kolasky is the Senior Vice President for Critical Infrastructure at Exiger, LLC a global leader in AI-powered supply chain and third-party risk management solutions. Previously, Mr. Kolasky led the Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center. In that role, he saw the Center’s efforts to facilitate a strategic, cross-sector risk management approach to cyber and physical threats to critical infrastructure. As head of the National Risk Management Center, Mr. Kolasky had the responsibility to develop integrated analytic capability to analyze risk to critical infrastructure and work across the national community to reduce risk. As part of that, he co-chaired the Information and Communications Technology Supply Chain Risk Management Task Force and led CISA’s efforts to support development of a secure 5G network. He also served on the Executive Committee for the Election Infrastructure Government Coordinating Council. Previously, Mr. Kolasky had served as the Deputy Assistant Secretary and Acting Assistant Secretary for Infrastructure Protection (IP), where he led the coordinated national effort to partner with industry to reduce the risk posed by acts of terrorism and other cyber or physical threats to the nation’s critical infrastructure, including election infrastructure. . Mr. Kolasky has served in a number of other senior leadership roles for DHS, including acting Deputy Under Secretary for NPPD before it became CISA and the Director of the DHS Cyber-Physical Critical Infrastructure Integrated Task Force to implement Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience, as well as Executive Order 13636 on Critical Infrastructure Cybersecurity.

See Full Bio