Insiders have said that Cyber Coordinator Mike Daniel will drop Supply Chain Security from his pending revision of the Obama cybersecurity policy. This would be unfortunate. CNCI, the Bush Administration’s contribution to cyber security efforts, is moving toward sunset, setting up Daniel to produce a new policy framework. The rumblings coming from the White House are troubling.
Daniel, who earlier this year stated that the President’s executive order was only a “down payment” on cyber security, seems intent on dropping one of the most crucial aspects of cyber as a point of focus. When someone noted in a draft version of the as-yet-unreleased policy that supply chain security was not mentioned (it has always been prominent until now), Daniel responded that it was implied and subsumed in the other aspects.
This is clearly not sufficient. The tech world runs a truly global supply chain – a global supply chain that often originates in or runs through countries that have a vested interest in compromising U.S. cybersecurity. The global supply chain works and keeps our smart phones, tablets, computers, and other parts of the digital world affordable. It also makes the supply chain a point of concern.
We are not going to change the supply chain (who wants to pay $5,000 for a smart phone?), but if it fades away as a cyber concern, there will be problems. Supply chain security is one of seven pillars identified in a Heritage Foundation paper (Seven Steps to U.S. Security, Prosperity, and Freedom in Cyberspace) covering what should be included in positive (and passable) cyber legislation. Leaving it out now is the wrong path.
Additionally, a considerable business sector is developing around protecting the cyber supply chain. It is viable, active and badly needed. What U.S. companies and the U.S. government need is support. That said, in a world of shrinking resources, the C-suite leaders in and out of government are unlikely to spring for this sort of hard-to-envision security when it is not being emphasized.
The non-techie leaders of most of our entities do not invest in something that is “implied” or “subsumed.” If we want companies and agencies to be willing to strengthen their cybersecurity, they must work on the supply chain as well. Daniel’s willingness to bury it is unwise and will potentially hurt security overall.
Active supply chain security for cyberspace is absolutely required if we are to get ahead – and stay ahead – of the numerous threats we face. Cyber Coordinator Daniel would do well to remember that going forward.