US Policy Direction for Critical Infrastruture and Supply Chain Analysis
If there ever has been a time to protect critical US supply chains, it is now.
A few weeks ago, I was speaking with the former AssistantSecretary of Defense. He asked me if Iwould be willing to write my thoughts, specifically around US policy and how wemust consider Supply Chain Risk Management as it relates to the US CriticalInfrastructure. Here are my recommendations,and observations.
The US Supply Chain is at risk. Not a level of risk that is being takenseriously enough, unbeknownst to the American People.
The US Infrastructure is a target, for nation stateadversaries that employ the latest techniques with super compute environmentsto disrupt, defeat, deny success of many of our critical sectors.
Algorithmic warfare is upon us. The ability for adversaries to create robusttargeting packages aimed at companies in our DIB (Defense Industrial Base)exists today, exploiting critical vulnerabilities in people, processes andtechnologies.
Development of AI models has accelerated with the use ofadvanced GPUs. These “supercomputers”are capable of processing billions of computations per second. When developing a “targeting package”, ouradversaries have become notorious for exploiting our “soft spots” and aiming atdependency risks within both our vendor and third-party ecosystems, and thesuppliers that comprise a Bill of Materials (BoM) for critical systems.
Our entire nation is dependent upon ecosystem stabilitywithin banking, insurance, healthcare, energy, manufacturing, agriculture, defense,and other critical sectors. Should thesemarkets be targeted, and crippled, our nation suffers. Further, should our facilities, our built environmentexperience attack from nation states, whom we know wish to do us harm, societyspins into chaos.
There quite possibly could be the consideration of mutuallyassured destruction. But there are stepsas a nation we need immediately enact to ensure the attack surface is minimalized,and the concentration risks of our supply chains are marginalized within oursystems as a nation.
To date, traditional methods have failed, and we continue toutilize these methods. They involvevendor self-attestations of security posture, spreadsheet level assessment of coalescingrisk forces, with scoring approaches biased by humans, archaic approaches thatare “post de facto”, in other words, retrospective and ostensibly reporting onthe “news”, versus providing our leadership with foresight, impendingrisk.
When systems are targeted by a large population of humans,on the other team, that utilize sophisticated AI powered weapons, we standdefenseless. It is easy to attack, moredifficult to defend.
By utilizing advanced algorithms, unique approaches that gofar beyond traditional vulnerability analysis and scraping, the US has the potentialto not only defend but foresee impending risk by assessing the entire UScorporate apparatus using AI powered inference. Since we don’t have custody of the asset (i.e. the supplier), we as anation are unable to legally test the breach potential of every supplier withina crucial supply chain, third party or vendor. But we do have the ability to leverage existing commercial technologythat legally assesses not only a supplier’s cyber hygiene and proficiency, butalso the ability for that supplier to respond and recover under duress, from a businessresilience perspective.
This approach must move past traditional cybersecuritysolutions that are focused on human selected features of risk, toward computerselected attributes that reflect it. Itmust be considerate of not just what is, but what is likely. After all, there is little point inunderstanding supplier risks that are already understood and likely exploitedby our adversaries.
“It must be considerate of not just what is, but what is likely”
It also must consider the viability of suppliers, the supplychain, and entire industry fragility in terms of business resilience andsurvivability. It is one thing to bebreached, another to be able to respond and recover from one. And if that supplier sits deep within acritical infrastructure component of any form, knowing that makes thedifference from seeing things from a broader point of view.
Many frameworks are focused on advanced persistent threats,once the adversary is inside the network. It is equally important to know in advance as to where they will insertfirst, and often as we have all seen, it is within the supply chain or thirdparties. If you knock out the primary logisticscompany in a specific rare earth segment, for instance lithium, the EV Automobilemarket is decimated, investors lose, and the world sees a swift materialimpact. If you knock out the manufacturers of machines that make the worldssemiconductors, every industry is damaged, and global economies suffer, puttingthe world at further risk.
The processes associated with innovation and acquisition inthis domain constitute a US National Security Risk. The frameworks are only emerging, and the rapidacquisition mechanisms are not operating with efficiency and pace. The companies the US Government currently reliesupon for SCRM is outdated, retrospective, and reactive in nature. These technologies do not provide foresight ofimpending risk.
To solve the issue, we must enact requirements to move awayfrom detection, to prediction, away from scraping to data transformation andultimately risk inference. Otherwise, weare merely reporting on news that is already known about suppliers, and likelyexploited by our adversaries. To beinflexible in our thesis is harming the United States.
We must utilize technologies that can identify risk, priorto its occurrence within our global supply chains and critical infrastructure.Otherwise, we do not obtain the benefit of foresight and are merely reacting torisk that has already materialized. It is incumbent upon our leadership tounderstand these implications, to hold accountable, and to advance the capacityto protect the United States.