42.8 F
Washington D.C.
Sunday, March 3, 2024

Five Principles to Help Secure Technology Supply Chains

As we consider this new normal of supply chains, with new risks and threats, a new approach is needed to secure our technology supply chains.

Twenty years ago, the most common disruption to supply chains was factory fires. Today, that landscape has shifted considerably. Globalization has led to distributed supply chains. Artificial intelligence-fueled logistics allow just-in-time delivery of components. However, efficiency also has bred brittleness. There is too little slack in the system for resilience in the face of disruption.

Today there are a few big sources of disruption. Climate change is causing more extreme-weather events that are a major source of disruption. COVID-19 led to new purchasing modalities and patterns, and when combined with labor shortages it continues to confound retail and consumer supply chains. Rising trade tensions with China, fueled by jockeying for economic and national security superiority, along with sanctions lobbed across the Pacific, continue to disrupt technology supply chains. Lastly, new threats like ransomware are introducing new risks to manufacturers.

As we consider this new normal of supply chains, with new risks and threats, a new approach is needed to secure our technology supply chains. While the focus in this article is on technology supply chains, these principles apply to broader resiliency aspects and broader supply chains as well.

1. We must illuminate supply chains, so you can see what you’re buying and from whom.

While most organizations have a good handle on their direct suppliers, few know who their second-tier suppliers are. On the software side, the Software Bill of Materials (SBOM) initiative seeks to help provide this illumination. As vendors begin requiring SBOMs from their suppliers, we can ultimately get an inventory of all the software libraries and building blocks that go into a final product or service.

2. We must be able to make risk- and threat-informed decisions about suppliers.

For example, software that relies on an unmaintained open-source library may represent risk. Similarly, products from Chinese companies may represent a threat. The 2023 National Defense Authorization Act includes language that requires the Department of Homeland Security to only buy software for critical functions that has no known vulnerabilities. Additionally, the Department of Commerce has outright banned products from Chinese like Huawei in certain sectors.

3. At a national level, we need to shape the ecosystem of trusted suppliers by investing in American and allied manufacturers.

The recently enacted “CHIPS+Science” bill includes $54 billion in appropriations to fuel domestic manufacturing in wireless and semiconductors. For wireless, $1.5 billion of grants will be doled out by the National Telecommunications and Information Administration to U.S. companies to fuel rebuilding the American telecom manufacturing ecosystem that has atrophied over the past 20 years and been sold for parts to Europe. For semiconductors, massive subsidies will help rebuild semiconductor development in the U.S.

4. We must invest in American innovation so that the next wave of technology is already in the U.S. and doesn’t need to be offshored.

American universities and industry need to lead R&D and bridge those technologies across the valley of death, so new science and technology innovations accrue to the U.S. GDP. The science half of the “CHIPS+Science” bill includes hundreds of billions of dollars in new authorizations for U.S. science agencies like Department of Energy, National Aeronautics and Space Administration, National Institute of Standards and Technology, and National Science Foundation. Hopefully Congress will come through with the needed appropriations to energize these ambitions.

5. We need to go on the offense.

As we’re seeing with sanctions against Russia, it’s possible to hold at risk an entire nation’s economy through systematic constraints on supply chains. More targeted effects can be achieved with more narrow manipulation of specific supply chain elements. If bad actors are tampering with U.S. supply chains, we need to interdict them.

We are at a unique point in time. We face new risks and threats. We have significant new federal technology investments on the horizon. By understanding the interplay, we can create a more secure technology supply chain that deals with these new risks and threats.

Charles Clancy
Charles Clancy
Charles Clancy is senior vice president, general manager of MITRE Labs, and chief futurist. He is responsible for sparking innovative disruption, accelerating risk-taking and discovery, and delivering real-time technology capabilities and execution through the company’s laboratories, solution platforms, and MITRE Fellows program. He leads technical innovation to anticipate and meet the future demands of government sponsors and industry and academic partners. Clancy is an internationally recognized expert on topics at the intersection of wireless, cybersecurity, and artificial intelligence. Before joining MITRE in 2019 as vice president for intelligence programs, Clancy served as the Bradley Distinguished Professor in Cybersecurity at Virginia Tech and executive director at the Hume Center for National Security and Technology. There, he led Virginia Tech’s research and experiential learning programs in defense and intelligence. He started his career at the National Security Agency, filling a variety of research, engineering, and operations roles, with a focus on wireless communications. He has co-authored more than 250 patents and academic publications, as well as six books. He co-founded several venture-backed security startup companies that apply commercial innovation to national security challenges. Clancy is an IEEE Fellow and sits on the AFCEA International Board of Directors’ Executive Committee, the AFCEA Intelligence Committee, the Intelligence and National Security Alliance Advisory Committee, the Systems Engineering Research Center Advisory Board, the Alliance for Telecommunications Industry Solutions Next G Alliance, and the Center for New American Security Task Force on Artificial Intelligence and National Security. He also serves on advisory boards at Howard University, Norfolk State University, North Carolina A&T State University, and Virginia Tech. In 2021, WashingtonExec magazine named Clancy one of the nation’s Top Climate Executives to Watch. Clancy holds a bachelor’s degree in computer engineering from the Rose-Hulman Institute of Technology, a master’s degree in electrical engineering from the University of Illinois at Urbana-Champaign, and a doctorate in computer science from the University of Maryland, College Park.

Related Articles

Latest Articles