FEDTECH: What else should agencies watch for?
CORELL: It depends on the consequences and what the adversary is interested in. From a risk perspective, there are things that we are not yet thinking of as a potential vector. The Department of Energy doles out grant money for research for energy/electricity delivery. Who’s that grant money going to? What is the new technology being injected into our energy/electricity delivery system? Are they thinking about the risk posed by third parties in that environment when those monies are doled out? I probably don’t need to repeat that the theft of intellectual property and the access to IP is how China feeds its IT ecosystem. In the excitement to invent, let’s not forget the consequences of not attending to your security or protecting your intellectual property.
FEDTECH: Is one type of agency more at risk for this kind of tampering, beyond the obvious classified agencies?
CORELL: I think all agencies have their own crown jewels. The Social Security Administration has all kinds of personally identifiable information about Americans. The education community has all kinds of information. When you apply for school loans, you’re coughing up everything; they have a lot of information about people’s finances.
FEDTECH: Who has the best position to spot risks in the supply chain?
CORELL: Your defense contractors, who are building the stuff, might be in a position to detect that something has gone wrong. Agencies should have tools in place to see if anything is exiting the hardened perimeter. The intelligence community does what the intelligence community does. But in the commercial sector, there is vast, untapped information available from commercial data providers. People are only just beginning to recognize that there’s a lot of information you can get about risk if you purchase information from commercial data providers.
FEDTECH: There are so many layers.
CORELL: Yes. The government has struggled in this context, where we talk to our first-tier supplier, then they will have a supplier and the suppliers will have suppliers. Sometimes companies will say, “We don’t know our suppliers’ suppliers.” There are legal terms tossed around — they can’t force their subcontractors to tell them who their subs are, because that might give one company a competitive edge over another.
One classic topic is information sharing. From my perspective, there’s all this pressure on the intelligence community: Share more, share more. My question for industry is not, “What do you do with all of that?” It’s, “What information can I give you that will make a difference in your decision to do business with a third party?”
When industry is thinking about their third-party risk, they go from, “Sure, I’ll do business with you,” to “I don’t really want to do business with you because you’re sketchy. But you’re the only game in town, so I’ll do business with you.” What information tips the company over to “No, I’m not going to do business with you”? This is an area industry is still thinking through.
FEDTECH: Is it possible to have one set of best practices for both government and private sector?
CORELL: I think there are common best practices. One is to think about security as the fourth pillar. When you’re buying goods and services, the community that does the purchasing looks at cost, schedule and performance. Those are the three pillars.
Historically, people working in the supply chain environment have said, “Performance, doesn’t that include security?” Well, it doesn’t. From a performance perspective, does this pen function as a pen? I pushed the button down; it’s a pen, right? I can meet performance criteria and not know that something extra is in there — the microphone talking to my little ballpoint pen. Security really needs to be the fourth pillar.