How exposed is your supply chain to cyber-attacks? Following recent compromises of both federal and private networks, regulators are asking this exact question. And recently, the federal government started responding with new mandates that will not only have immediate and direct impact on the sectors that they target, but will also likely spread a culture of compliance across all industries.
New rules, regulations, and guidance are implemented to set new standards for defending against, responding to, and reporting cybersecurity incidents. Here we outline what helped drive the creation of certain regulations. While many of these regulations are aimed specifically at federal agencies, they also offer a preview of what the private sector may expect to see in the future. As always, organizations should regularly confer with their legal and regulatory counsel to monitor cybersecurity requirements and developments.
Reconstructing the cybersecurity supply chain
The SolarWinds breach, which was discovered last December, uncovered a deep and broad compromise of federal systems. Further analysis revealed that the exploit dated back nearly a year. The Microsoft Exchange Server exploit, discovered shortly after, revealed a second intrusion deep into both government and the private sector.
These events necessitated a response. In May, President Biden signed an executive order that ambitiously redefines cybersecurity requirements in federal contracts. The new requirements specifically target federal contractors servicing the US government. But repercussions are expected to be felt far beyond as state and sector regulators may pursue similar requirements and the private sector may adopt these regulations as best practices and implement similar contractual requirements.
Thus, every business should take note of these cybersecurity requirements.
Among the directives of the executive order, federal agencies must:
- Prioritize certain security practices, such as establishing zero-trust architecture, government-wide endpoint detection and response, multifactor authentication, and encryption for data at rest and in transit.
- Develop best practices for coding and require attestation to confirm adherence to those standards.
- Set requirements for testing software code, including the use of automated tools and penetration testing.
- Leverage the use of secure cloud computing.
- Identify the most critical software and associated security controls.
- Propose a consumer product labelling program that evaluates security of Internet of Things (IoT) devices.
- Formalize incident response plans across the government.
In addition, organizations will need to share information on cyber threats and cooperate with federal agencies during investigations, adopt recommended security practices for software development, follow baseline requirements for logging activity in a network, and provide a software bill of materials that will disclose the components used to build technology products.
Lastly, the new executive order establishes a Cyber Safety Review Board to study significant cyber incidents carried out against government and industry and make recommendations. Investigations carried out by the board will require full transparency and real-time information sharing, and may set the new standard for what regulators expect in the aftermath of a breach.
Barring suppliers of cybersecurity technology
Adding to tightened network controls, government and industry will also start taking a closer look at suppliers of technology used to build those networks. In March, the US Department of Commerce (DOC) issued an interim regulation that allows it to reject contracts to provide information communications technology and services (ICTS) when the provider originates from a designated “adversarial nation.”
Under the interim regulation, the DOC could prohibit companies from purchasing certain technologies that derive from sources suspected of deliberately embedding security vulnerabilities within networks.
Companies should take note of this development for three main reasons:
- The regulation currently applies to multiple industries, including communications, energy, manufacturing, financial services, transportation, agriculture, information technology, and wherever else “critical infrastructure” might be found.
- A lot of ICTS technology will be under review, such as:
- Wireless local area networks.
- Mobile networks.
- Wireline access points.
- Core networking systems.
- Data hosting or computing services affecting sensitive personal data.
- Internet-enabled sensors.
- End point surveillance or monitoring devices.
- Software designed primarily to facilitate internet communications, integral to artificial intelligence and machine learning, quantum computing, autonomous systems, or advanced robotics.
3. The interim regulation also provides sweeping authority. As currently adopted, the DOC could “investigate, modify, block or unwind covered transactions involving certain identified foreign adversaries on national security grounds.” In addition, the DOC may review “any acquisition, importation, transfer, installation, dealing in, or use of” the underlying technology, and may include activities like managed services, data transmission, software updates, repairs, or the platforming or data hosting of applications.
While the DOC may still revise this regulation, critical infrastructure companies and vendors to federal agencies should expect greater scrutiny over the sources of their technology and how they use that technology.
Industry-specific regulations may affect the supply chain
While all-of-industry regulations can represent major shifts, there are more sector-specific tools at the federal government’s disposal. This came prominently into display when the Department of Homeland Security (DHS) announced that pipeline companies would have new reporting requirements for cyber-events and would also face additional cyber regulations in the near future.
The way government already regulates parts of critical infrastructure could give an indication of what is ahead. For example, the US Federal Energy Regulatory Commission (FERC) oversees utilities with assets that touch the bulk electric systems under its Critical Infrastructure Protection (CIP) standards. These require regulated companies to assess risk and apply appropriate protections. FERC recently updated those standards with cybersecurity practices for systems used to authenticate, restrict, and monitor access to critical assets. Other sector-specific agencies could follow with their own CIP-like regimes.
What organizations can do now
- Review existing government guidance
Earlier this year, the National Institute of Standards and Technology (NIST) issued supply chain guidance — Key Practices in Supply Chain Risk Management: Observations from Industry — to help companies find and fortify weaknesses in their supply chain. Among the practices to address cyber supply chain weaknesses, NIST recommends:
- Making supply chain cybersecurity an organization-wide effort.
- Assessing the organization’s supply chain and focusing risk management on the most critical suppliers.
- Closely collaborating with suppliers.
- Building cyber resilience.
NIST’s guidance also provides practical recommendations to implement the key practices. Regulators for critical infrastructure sectors like healthcare, transportation, and life sciences could potentially adopt similar cyber supply chain standards.
- Strengthen regulatory reviews for technology procurement
Most companies already have thorough processes for reviewing regulatory requirements. That process may now need to become more anticipatory. For example, a company might use software manufactured in a designated “adversarial nation” under the DOC rule but not banned by any regulation. Companies should not only monitor and respond to changes in regulations, but also evaluate their use of foreign-manufactured technology that could come under the rule. That examination could influence buying decisions today that could avoid disruptions in the future.
- Assess and develop metrics to evaluate supply chain cybersecurity maturity
While developing assessments and metrics may be challenging, this may soon not be optional. Guidance issued by the Securities and Exchange Commission in 2018 states that companies must align cyber risk management to specific business impact categories. Following the widespread breaches of the supply chain and the federal government’s heightened attention to supply chain cybersecurity, companies should consider whether the supply chain is within the scope of that guidance.
- Develop criteria to evaluate the security of off-the-shelf technologies and services
Companies are recommended to use objective criteria to establish a process for assuring that the technology used to build the network meets their minimum standards for security and improve their overall risk position. Companies can also leverage available guidance. For example, Marsh’s Cyber Catalyst program teams with leading insurers to provide insureds with awareness of how underwriters view certain technologies designed to manage cyber risk. Additionally, companies may consider governmental programs when evaluating the security of its technology and services. For example, the DHS SAFETY Act program provides qualifying companies with certain liability protections for approved anti-terrorism technologies which may include cybersecurity technologies and products.
Changes to the digital supply chain are on the horizon. The increasing sophistication of cyber-attacks against the supply chain will compel both industry and government to identify cyber best practices for securing the supply chain, and that will serve as the basis to develop future regulations. As such, organizations will need to develop cyber practices that protect against the impact of an attack and withstand regulatory scrutiny.