May 24, 2018

Supply chains pose emerging cybersecurity risk, top expert says at ABA lunch

Joyce Corell, from the Office of Director of National Intelligence, addresses a luncheon sponsored by the ABA Standing Committee on Law and National Security,

A complicated and growing threat on the cybersecurity landscape is leaving American consumer goods vulnerable to hackers, according to Joyce Corell, the assistant director for supply chain at the National Counterintelligence and Security Center in the Office of Director of National Intelligence.

Corell, who spoke at a May 22 luncheon sponsored by the ABA Standing Committee on Law and National Security,said her office is seeking new ways to provide information to help manage supply chain risks in the public and private sectors.

Foreign countries around the world are involved in some aspect of the manufacturing and distribution process of consumer goods tied to the internet of things that are aimed at the American market, leaving them vulnerable to adversaries seeking to weaken or compromise U.S. national security, Corell said.

Supply chain risks include tampering or insertion of malicious software, or poor manufacturing practices. Ensuring strong supply chains is critical to protecting against these threats, whether from individual hackers operating a botnet or from state-sponsored foreign intelligence operations, she said.

“It’s a complex topic, with no easy answers,” Corell said, adding that there is no single federal agency or private sector entity leading the way in the area of cyber supply risk management. “This isn’t on the horizon, it’s here now.”

Another area of concern is the evolution of the telecom sector from fourth generation (4G) to fifth generation (5G) connectivity and the explosion of new IoT products. “The products are very exciting, and we need to embrace the technology but do it with our eyes open and make sure we’re managing the risk. We have a short window of time to get cybersecurity principles in place and get IoT right,” she said.

From a cyber threat perspective, the 5G telecoms evolution presents a new level of vulnerability. It includes a concept called software defined networking, which Corell said decouples the control of the network from the rest of the functioning of the network. The flexibility and efficiency offered by software- defined networking is appealing, but the control plane becomes a sweet spot from a targeting perspective. “Our adversaries will certainly be looking at these areas of technology to pursue very aggressively,” she said.

The capabilities of hackers are always changing and improving, adding to the challenge of protecting U.S. interests. “We’ll never have perfect (threat) information,” Corell said. Cybersecurity defense is about capacity building and having the agility to respond to a dynamic environment quickly.

She said a number of recent attacks have occurred when the software supply chain is compromised through a trusted vendor with a software update that unleashes malware, sometimes unknowingly. “Whether you call it vendor vetting or vendor due diligence, this is the space we’re in,” Corell said. Companies should investigate potential vendors very thoroughly – simply following industry best practices isn’t enough anymore. For example, did the company ever file for bankruptcy? This kind of information can be critical when choosing vendors.

Because the issues of supply chain management and integrated risk reduction in an IoT world are so complex, Corell said we need to think differently about our regulatory regimes relating to cybersecurity. “One can no longer outsource the thinking about risk in this space to your CEO or whatever. This is a risk problem that your business owns.”