Securing The Cyber Supply Chain

Securing The Cyber Supply Chain
Securing The Cyber Supply Chain 

By J. Nicholas Hoover
November 7, 2009 
(From the November 9, 2009 issue) 

Security pros draw a line at the firewall--what happens "out there" 
might be beyond their control, but a secure perimeter is intended to 
protect the data and systems within. That view, however, fails to take 
into account the role of developers, vendors, customers, users, and 
others along the supply chain of IT systems, hardware, and software 
coming into the enterprise. A new school of practice advocates a more 
encompassing approach to security that leaves none of those touch points 

It's called the cybersecurity supply chain, and, as it sounds, it 
applies the principles of supply chain management--product assembly and 
acquisition, data sharing among partners, governance, and more--to the 
security of IT systems and software. "Organizations need to realize that 
their borders are porous," says Jim Lewis, director and senior fellow of 
the Center for Strategic and International Studies' technology and 
public policy program. "We're no longer living behind a moat. It's not 
just how secure you are, but how secure the people you connect with are 
as well."

What comprises a cyber supply chain? Researchers at the University of 
Maryland's Robert H. Smith School of Business and the IT services firm 
SAIC, in a white paper published in June, define it as "the mass of IT 
systems--hardware, software, public, and classified networks--that 
together enable the uninterrupted operations" of government agencies, 
public companies, and their major suppliers. "The cyber supply chain 
includes the entire set of key actors and their organizational and 
process-level interactions that plan, build, manage, maintain, and 
defend this infrastructure."

Foreign nations already are carrying out supply chain attacks on IT 
systems belonging to the U.S. government, according to a presentation by 
Mitch Komaroff, director of the Department of Defense CIO's 
globalization task force. A simple example is hardware being delivered 
with malware installed. In the private sector, financial firms have 
become regular targets. These two sectors are also the most aggressive 
in looking at ways to fight the problem.


Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods