National Counterintelligence and Security Center Director Bill Evanina warned that the weakest link in the supply chain can consistently be found in procurement departments, underscoring the need for a comprehensive enterprise approach for each government entity and private business to understand and address threats.
“‘Supply chain’ is no longer a buzzword like ‘cyber’ was five years ago,” Evanina told the Supply Chain Security is National Security event hosted Monday by the Intelligence and National Security Alliance. “It really means something.”
The director called Secretary of the Navy Richard V. Spencer’s Cybersecurity Readiness Review, released last month, “probably one of the most depressing things I’ve read in a long time.”
“I commend the Department of Defense and the Navy for writing this: it was candid, it was honest, it was transparent. And my proffer to you is that what’s written in there can be levied upon every single organization in the private sector, every organization in the government, with respect to what our vulnerabilities and threats are with respect to supply chain,” Evanina said, quoting one chilling line from the report: “The systems the U.S. relies upon to mobilize, deploy, and sustain forces have been extensively targeted by potential adversaries, and compromised to such extent that their reliability is questionable.”
“We cannot afford a situation five years from now where we may spend a lot of money building a thing, and then we need that thing to defend our nation, and it’s been compromised via supply chain and it doesn’t work,” Evanina added.
Over the past year, the NCSC has been meeting with agencies such as DHS, FBI and DoD, in addition to the private sector, talking about threats to the nation “primarily with respect to China but also Russia and Iran,” he said.
On supply chain threats, “I find that the private sector is most vulnerable; they face the greatest threats,” Evanina said. “And we need to have what’s finally a reality of true public-private partnership. So what does that mean? That means the government, the intelligence community has to do a much more efficient job of getting our private-sector entities, our defense contractors, our defense industrial base, viable actionable intelligence that we get at the most top-secret levels. To provide them those threat vectors that we see emanating from our adversaries about the technology they’re interested in, the malware, the semiconductors, the nanotechnology, and who makes them, and how to better inform them to protect holistically that thing.”
Secondarily, he continued, government and private industry “have to look at what’s going on now and what happened seven years ago.”
“When we hear that our adversaries have penetrated service providers and hundreds of companies have been victimized, that sounds scary — but no one seems to want to take the time to understand what that actually means. Who was victimized and what was stolen, who has access?” Evanina said. “So we talk about the supply chain — what’s at stake is not only our military preparedness and readiness, but our economic security.”
“I believe that when you have a supply chain issue you have a cyber issue; when you have a cyber issue, you have a supply chain issue. But when our adversaries are attacking us holistically, not only on the defense weapons platforms, our technology, our academia, our businesses, our technological edge that we have, they have a multifaceted vector into what we do.”
The insider threat “will always be the most pernicious and vicious” brand of attack, he said, with “a lot of them along the supply chain route.”
“My fear is, with respect to supply chain, is that we cannot become numb. As a country, as a people, as a democratic state we cannot become numb to supply chain threats. We have to work very hard to promulgate what that actually means,” Evanina said.
While private-sector entities may tout the greatness of their in-house cyber programs, he said, “It’s all wonderful, but what about your human resources person? What about your procurement and acquisition folks? To me, that is a weak link… understand where those weak links are.”
Procurement and acquisition comprise a notoriously weak link as “those individuals who hold the credit cards… how many hours of counterintelligence training do they get? Probably zero for their entire life,” he noted.
“Here’s how they’re getting in: understand where your procurement prospects are and your solicitations and your requests for bids. You can have the best cybersecurity people in the world, but if you don’t understand how you buy and purchase things, and how that’s vulnerable — never mind the Internet of Things, that’s a whole other conference by itself — but if we could just leave with one ideal, understand what supply chain is, the weak link. It’s easy to say don’t be the weak link — understand what that weak link is, and then make an impact. ”
Evanina encouraged a “very, very sound enterprise-wide security process” to counter myriad threats.
“If you make security part of mission the counterintelligence piece will take care of itself… what does it mean to understand the threat factor that your company faces?” he said.
“Hold your government partners accountable for advising and informing the threats … we’re going to hold you accountable, and you should hold yourselves accountable in the private sector, for mitigating those threats, closing those vulnerability gaps,” Evanina added.
“‘Supply chain’ cannot be that fuzzy word we’re uncomfortable with. It can’t be the phrase that we’re scared about or don’t quite understand… and then understand that the only way to survive is going to be with an enterprise-wide security program, whether it’s in the government or the private sector.”