U.S. adversaries have turned to exploiting United States supply chains, said Harvey Rishikof, co-author of “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience,” at a May 1 luncheon sponsored by the American Bar Association Standing Committee on Law and National Security.
Rishikof, chair of the advisory committee, was joined by Joyce Corell, assistant director for the Supply Chain and Cyber Directorate at the National Counterintelligence and Security Center in the Office of Director of National Intelligence; and Stephen Preston, former Department of Defense and CIA general counsel. They discussed how lawyers can manage cybersecurity risks to protect clients’ sensitive data.
Corell believes the threats are complex and constantly evolving. “We’re more worried about an adversary using a company,” she said, noting the case of Kaspersky Labs, a Russian company that makes antivirus software. In September 2017, the Department of Homeland Security banned the use of Kaspersky products on federal civilian networks, citing ties between certain Kaspersky officials and Russian intelligence and other government agencies. The National Defense Authorization Act enacted that year expanded the scope of the ban. That led to the new Secure Technology Act, signed into law in December 2018, which provides criteria to exclude a company from government agency systems.
Preston said supply chain security is “all about China … almost.” He said Chinese theft of intellectual property has escalated in recent years and includes efforts to compromise sensitive information and defense systems. In response, the U.S. has embarked on a broad and sustained campaign to block China’s access to advanced U.S. technologies. Preston advises clients to stay on top of legal developments in national security law to avoid potentially costly missteps.
Rishikof said he wants to see the creation of a national center to issue independent security grades for products available to U.S. consumers, as well as ratings for supply chains, to ensure they lack the capacity for malware.
- Technical paper: “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience”
- Read: “2018 Insider Threat Program Maturity Framework”
- Read: “The U.S. Intelligence Community Law Sourcebook 2019 Edition: A Compendium of National Security Related Laws and Policy Documents”
- Read: Supply Chain Risk Management Practices for Federal Information Systems and Organizations
- Listen: National Security Today podcast
- ABA Journal: “California imposes new regulations on ‘internet of things’ devices”