A collaborative white paper, Building A Cyber Supply Chain Assurance Reference Model, released today by Science Applications International Corporation (SAIC) and the Supply Chain Management Center at the University of Maryland’s Robert H. Smith School of Business, tackles the nation’s cyber threat — now elevated to a presidential imperative — with an outline for an innovative model that applies end-to-end supply chain management to cyber security for the first time.
The white paper marks the final phase of a six-month project and addresses a key discovery – that global cyber supply chains today are as fragmented as physical supply chains were 15 years ago. The paper follows the Obama administration announcement of a White House cyber czar to develop strategy to protect the nation’s government and private computer networks while balancing national security and economic concerns. With the cyber industry increasingly spread across many different countries around the world, globalization has intensified the potential threats.
Drawing best practices from the evolution of the global supply chain, researchers from the Smith School’s Supply Chain Management Center address the challenge of keeping distributed, global networks secure from threats with a well-defined and integrated model built upon a dynamic governance structure that unites hardware and software planning. The result offers potential for a significant advance in combating cyber threats, viruses and attacks and represents a dramatic paradigm shift from current industry practices.
“It is a national security imperative in a global economy that we have confidence in the supply chains of integrated systems and the integrity of the people, processes and technology that comprise them,” said Hart Rossman, chief technology officer for Cyber Security Solutions at SAIC and a senior research fellow of the Supply Chain Management Center at the University of Maryland’s Robert H. Smith School of Business. “The fusion of these two dynamic disciplines — supply chain risk management and cyber security — will help address emerging threats and vulnerabilities presented in the sourcing of IT solutions worldwide. The framework identifies interdependencies between system development life cycle activities across the supply chain, providing insight and guidance to create flexible mitigation strategies according to the risk appetite of an organization.”
The Cyber Supply Chain Assurance Reference Model defines not only key actors, processes, and vulnerabilities, but also identifies strategic interdependencies at each node of the international production/sustainment chain. Among the paper’s key findings are:
- A fully integrated cyber supply chain requires the coordination of what researchers describe as “defense in depth,” the process of securing/hardening core systems and their constituent parts during the build and deploy phases of the lifecycle; and “defense in breadth,” the process of securing the global web of actors who use and maintain a system including customers, system integrators and suppliers.
- There is a lack of visibility and coherence across the cyber supply chain which prevents effective orchestration and synchronization.
- There is a clear need for structured incentives and relationship drivers which facilitate management of shared risk.
- Lack of communication between the cyber and physical supply chain domains is constraining advancement.
- Most organizations mistakenly view themselves as the terminus in the cyber supply chain and do not recognize the need for accountability within all internal function areas, as well as among all suppliers, customers and partners.
With cyber security targeted as an area of strategic emphasis, the U.S. government is expected to work closely with security companies and other private companies to help secure U.S. interests – especially the government and key infrastructure – from future attacks.
The four-phase project drew on insight and best practices across disciplines. The first phase included a literature review, while phase two incorporated input following extensive interviews with experts in the areas of policy making and governance, acquisitions, hardware, software, network and systems-integration assurance. In phase three, researchers compiled interview results, analyzed findings and presented a prototype Cyber Supply Chain Assurance Reference Model to a focus group of 30 government and industry executives. The research team included Boyson, Thomas Corsi, co-director of the Smith School’s Supply Chain Management Center, and Rossman. A copy of the paper is available here.