What Are the Largest IT Supply Chain Risks in Federal IT?
The size and scale of the federal technology ecosystem makes it inherently vulnerable. With so many moving parts, and the growth of the Internet of Things, there is ample opportunity for adversaries to insert themselves.
“The complexity, the diversity and the scale of the IT infrastructure in federal government: All that makes for a very complex risk,” says Ismael Valenzuela, a SANS-certified instructor and senior principal engineer at McAfee. “Now we are hooking up to hundreds of new IoT devices every day, devices that were not built with security in mind, and the attack surface just explodes exponentially.”
Experts worry that bad actors could insert malicious hardware or software into IT products that eventually get incorporated into federal systems. By compromising the supply chain, they could effectively open a back door into these systems.
By targeting the supply chain, adversaries can potentially gain entry into systems even before those tools are deployed into the federal space. “They could be trying to lay zero-day attacks within the system before it reaches the user,” says Kelvin Coleman, executive director of the National Cyber Security Alliance.
Such attacks could give bad actors significant leeway. “The real fear is that an external entity can breach that third party to gain a foothold in a federal network. They would then be able to move laterally within that network, with privileges that they should not have,” McGladrey says.
What Is Supply Chain Risk Management?
One way to address potential vulnerabilities around supply chain cybersecurity is through a risk management approach.
“Risk management is about assessing the risk of all the companies in that supply chain,” says Daniel Gonzales, a senior scientist at Rand. “That includes knowing who the companies are, who owns the company, where they are based, where they develop software and where they source hardware components.”
All that data helps federal agencies to determine the potential risk associated with any given element within the supply chain.