Cyber Supply Chain Assurance:
Incident Response in the Global IT Supply Chain

Speaker: Hart Rossman

Our paper,"Building A Cyber Supply Chain Assurance Reference Model", marked the culmination of a seven-month research project which sought to fuse together the fields of cybersecurity and supply chain risk management by applying proven supply chain practices to this evolving cyber domain. This presentation will take a cross-functional risk perspective of Cyber Supply Chain Assurance referencing cutting edge models, tools, and practices extending the initial findings in this paper. The audience will learn through case study and example threat vectors, details of known incidents, and best practices for creating resilient cyber supply chains. Of particular focus will be the role of the incident response and security teams as actors in the cyber supply chain. We will explore tools and tactics that might be used including technical and contractual means to influence response capability throughout the cyber supply chain. The cyber supply chain encompass the information and communications technology components, products, services, and integrated systems created and transported by global supply chain.

This presentation is the result of a collaboration between SAIC and the Supply Chain Management Center (SCMS) of the Robert H. Smith School of Business, University of Maryland (UMD) at College Park. Our research assessed the dynamics, risks, and management challenges and opportunities of the cyber supply chain in its role as a critical public system/private infrastructure.

Among the research team's key findings are:

• A fully integrated cyber supply chain requires the coordination of what researchers describe as "defense in depth," the process of securing/hardening core systems and their constituent parts during the build and deploy phases of the lifecycle; and "defense in breadth," the process of securing the global web of actors who use and maintain a system including customers, system integrators and suppliers.
• There is a lack of visibility and coherence across the cyber supply chain which prevents effective orchestration and synchronization.
• There is a clear need for structured incentives and relationship drivers which facilitate management of shared risk.
• Lack of communication between the cyber and physical supply chain domains is constraining advancement. Most organizations mistakenly view themselves as the terminus in the cyber supply chain and do not recognize the need for accountability within all internal function areas, as well as among all suppliers, customers and partners.
• Information security operations is not sufficiently aligned with the supply chain risk management function to be capable of performing joint operations during an incident

The central challenge is that global cyber supply chains today are as fragmented as physical supply chains were 15 years ago. Since the release of our paper we have been diligently conducting on-site case studies with several government and commercial organizations to better understand the application of the model.

In this session we will introduce our model and present one industry and one government case study covering a cross-functional executive perspective of its application paying particular attention to the challenges an incident response team faces in aligning the CERT/CIRC function with conventional supply chain risk management.