The risks of supply chain threat sharing

By Derek B. Johnson

By Derek B. Johnson

|

Some of the most valuable data around supply chain threats – identifying suspicious or untrustworthy actors -- can often be legally perilous to share.

BY By julia.m Royalty-free stock vector ID: 779956477
 

While many national security initiatives can lean on non-public or classified intelligence to guide their efforts, for the most part that hasn't been the case when it comes to threats to the technology supply chain. In fact, suppliers can often have difficulty mapping out their own chains once it gets down to the third or fourth tier of subcontractors.

There have been efforts to correct that problem, with Congress passing a provision in the 2020 National Defense Authorization Act to establish a supply chain and counterintelligence task force at the Office of the Director of National Intelligence to improve intelligence for U.S. government acquisition. The Department of Homeland Security has also stood up an Information and Communications Technology Supply Chain Risk Management Task Force, including a working group dedicated to bidirectional information-sharing issues.

Despite these efforts, information about specific, credible threats to the supply chain can be hard to come by.

"Having spent the last 10 years in the intelligence community, I think a critical finding for me was that, despite public musings to the contrary, there is not some giant pile of supply chain intelligence sitting behind some sort of classification wall that is available to share," said Cheri Caddy, a senior cybersecurity advisor to the Department of Energy, a former National Security Agency official and one of the chairs of the information-sharing working group speaking at an Aug. 19 event hosted by the Intelligence and National Security Alliance.

In fact, some of the most relevant information has tended to come from either open source data or through shoe-leather reporting -- reaching out to companies for interviews, going behind paywalls for contract or supplier data and getting to the "ground truth of dealing with specific vendors and understanding when things are going wrong," Caddy said.

Kathryn Condello, senior director for national security emergency preparedness at CenturyLink and co-chair of the same working group, said often the most valuable information companies are looking for is also the hardest to safely share: what she calls "the naming of names problem."

Getting a heads up that a specific supplier or individual is untrustworthy or suspicious can help vendors -- particularly those who do business with the government -- keep their secondary and tertiary supply chains clean. That kind of insight can also be legally perilous for companies to share unless they have substantial evidence to back up the claim.

"How do you share the fact that you just canceled this contract with this vendor who was wonky because it just didn't look right?" asked Condello. "Well, it turns out there's a lot of law associated with not sharing kind of information."

Liability concerns

Dismas Locaria, a lawyer at Venable with a background in supply chain and information-sharing issues, told FCW that companies often have suspicions about certain suppliers but generally lack smoking-gun evidence of intentional wrongdoing. That uncertainty can leave them in danger of being sued for defamation or interference with a contract if they pass along information that turns out to be inaccurate. They could even find that same government scrutiny turned back around onto their operations.

"There are all sorts of things where, if you're wrong, you're potentially liable," said Locaria.

When it comes to sharing information on supply chain threats, he advises clients to stick to documentation wherever possible and avoid "the slippery slope" of adding any analysis or opinion on top.

"Are we talking names, [and] is our name on the record? Are we giving names? How specific are we getting?" said Locaria, running through a list of questions a company has to consider. "If we're talking names, then my view is let's just provide documents … turn it over to the government and let them make their own inferences about it. Let the document speak for itself and let the government connect the dots."

An interim report issued by the DHS task force last year laid out a number of data points that could be useful in sniffing out supply chain threats, such as information around counterfeit parts, malicious code inserted into software and tips about insider threats or physical attacks on participants or products in the chain. It also found that intelligence around this area was "unique" and that "actionable information often requires a level of specificity which may create sensitivities about how it is shared" that lead to "a range of legal considerations that ICT stakeholders must navigate."

"Critically, [we] concluded that effective information sharing may necessitate the exchange of sensitive vendor or supplier data, including the names of specific entities," the report stated.

The working group has subsequently reached out to law firms, including Wilkinson, Barker and Knauer, to develop a cheat sheet designed to guide vendors or employees who don't have legal backgrounds around what they can relay to the government or industry without running afoul of liability laws. A spokesperson with DHS' Cybersecurity and Infrastructure Security Agency said an updated report detailing the task force's year-two findings is currently scheduled for completion this fall.

Edna Conway, vice president and general manager of global security and risk and compliance for Azure at Microsoft, sits on the executive committee of the task force and co-leads the working group addressing information sharing. She told FCW that developing good policy around legally sharing supply chain risk information "continues to be a fundamental issue."

"We've been struggling with information exchange for years. Today, we live in a platform economy; that platform economy is built on a foundation of cloud and mobility technologies that has enabled us to be more efficient than ever before but also increased our interdependence," Conway said. "As a result, we need to share information in as close to real-time as possible. To ensure that we preserve the benefits of living in a democracy, we must share information in a manner that protects the rights of enterprises and individuals, and that requires a thoughtful process."

The risks of a 'safe harbor'

Balancing those equities can be tricky. On one hand, the federal government wants to take advantage of supply chain risk management insights -- such as concerns around using software from Kaspersky Labs -- that were an open secret among some in industry well before DHS banned the Russian-based antivirus firm from government systems and began warning companies about the risks of their data passing through Russian servers.

On the other hand, carving out broad liability protections for companies to pass such suspicions on to the government could create negative incentives, opening the door for bad actors to abuse that safe harbor or cast aspersions onto a competitor in the hopes of harming their business.

Changing the current dynamic would require an act of Congress, similar to the liability protections that were carved out in the 2015 Cybersecurity Information Sharing Act. Even then, Locaria said the government would likely need to set up a third-party clearinghouse to collect tips, verify that they touch on a legitimate security issue and possibly scrub or anonymize certain identifying information before passing them along to federal agencies.

That could help to vet what kind of information ends up in government hands and lessen the harm around the most spurious of claims, but the core problem remains the same.

"If the government creates a mechanism for people to share, then is that abused? Because not everybody's interests or efforts are altruistic," said Locaria. "What kind of incentives would the government be giving, a safe harbor for what? For anything? It can't be for anything because then competitors will be pulling all the stops out. For good faith? That's not a high bar."

Will Congress step in?

Congress has taken an interest as well. During a 2019 hearing on supply chain security, Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee, said the working group’s insights "suggests the need for further legal analysis and foreshadows the potential need for future legislative action."

Thompson added: "I think there will be some legislative fixes on liability and some other things we'll have to look at down the road."

The contours of the current discussion resemble the debate around information sharing before the passage of the Cybersecurity Information Sharing Act. Robert Meyer, who heads cybersecurity at the USTelecom trade association made the comparison in the 2019 hearing.

Mayer noted that the 2015 legislation protects companies from sharing indicators of compromise with regard to specific cybersecurity threats, but that no such protection exists for sharing adverse information about companies that may be linked to compromised hardware or software.

"The lawyers are going to be very reluctant to allow that person, that company, to make those kinds of remarks or evidence without liability protections because there are laws in place and private causes of action that could result in litigation," Mayer told lawmakers.

A bill introduced by Rep. Peter King (R-N.Y.) last year would give the DHS secretary the authority, upon recommendation from the department's chief acquisition officer and CIO, to restrict or exclude a vendor from IT acquisitions if a risk assessment concludes it poses a threat to the DHS supply chain. The bill would also give the DHS secretary latitude to take action before notifying the affected vendor. A legislative report on the bill -- which was approved by the House Homeland Security Committee but has not received a floor vote -- specifically mentions Chinese companies Huawei and ZTE as well as Russia-based Kaspersky Labs as national security threats to the supply chain.

NEXT STORY: Trump nominates Chad Wolf as permanent DHS chief

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.