Stuffing the Genie Back in the Bottle: Can Threats to the IT Supply Chain Be Mitigated?

The global information technology (IT) supply chain has been on the forefront of cyber security concerns for several years. First initiated by the Bush administration’s 2008 Comprehensive National Cybersecurity Initative (CNCI), the U.S. government identified the need to develop a multi-pronged approach for global supply chain risk management, a theme that has since been underscored by the White House’s January 2012 National Strategy for Global Supply Chain Security. Both documents agree that the globalization of the IT marketplace has created opportunities for hostile actors to compromise the confidentiality, integrity, and availability of IT products and services. The global IT marketplace is composed of multiple businesses, vendors, and relationships that span countries, regions, and time zones. Federal government agencies must rely on these vendors and commercial-off-the-shelf products to satisfy their IT requirements, which have politicians and security experts clamoring for supply chain oversight. As evidenced by the recent House of Representative report on the Chinese telecommunications companies Huawei and ZTE, the U.S. government fears the possibilities of IT supply chain exploitation by foreign IT companies although it cannot attribute acts of espionage or intentional compromise. This raises two important questions: 1) Is the supply chain threat blown out of proportion as the U.S. government continues to purchase commercial products; and 2) If not, is it too late to mitigate the threats to fragmented global enterprise? Ultimately, securing the global supply chain is as difficult as trying to secure the global Internet and for many of the same reasons. More attention should be spent on ensuring the quality of products being integrated into networks rather than trying to find out if an adversary is going to use this cumbersome global supply chain monolith as a viable means to commit espionage.