Supply Chain Security – Not As Easy As it Looks

The massive exploit of SolarWinds is a prime example of what is called a “supply chain” vulnerability. The vast majority of those impacted by the Russian SolarWinds attack probably had never even heard of the company SolarWinds, and did not realize that they were dependent upon that company for critical infrastructure. Indeed, modern supply chains, manufacturing, technology, and Internet and telecommunications networks are dependent upon complex webs of supply chains—or, more accurately, supply webs—which are vulnerable to disruption and attack. While defense contractors, the intelligence community, and the Department of Defense all attempt to address this problem, for commercial entities, supply chain security can be the difference between being able to deliver products and services effectively or going out of business. Yet, it is incredibly complex and difficult even to identify what your supply chain is and identify your dependencies. There are some things you can do today, from a practical and legal standpoint, to ensure greater visibility into your supply chain and better ensure the security and resilience of your supply chain.

A Glass of Milk

Take something as simple as a glass of milk. What is the “supply chain” necessary to get that glass of milk into your hand? At its most basic, all you need for a glass of milk is a glass and a cow, and you probably can get by without the glass. But the “supply chain” of that glass of milk can be very complex and can include the land, the grass, the water, the fertilizer, the runoff, access to the land, the supply of cattle, the feed, the manure (removal), the infrastructure (barns, troughs, etc.), the milking machines, electricity, storage, refrigeration, transportation, pasteurization, cartons, labels, advertising, promotion, transport to stores with their own infrastructure. Then the customer has to go to the store, buy the milk, take it home, refrigerate it and, of course, find a glass.

We can make the supply chain even more complicated when we take into account the supply chain necessary to make the milk transport truck work, or the supply chain necessary to make sure we have electricity, or the supply chain necessary to ensure that vendors, suppliers and retailers can all be paid (banking, payment transfer, Internet payment systems).

We can complicate it even further if we add the computers, routers, hubs, etc. necessary for all of this to work. And even further, we can add the chips, software, code and other things necessary for those computers and routers to work. And finally, there is the supply chain of people necessary to make all of this work—which can include things like skills, recruiting, background checks and the infrastructure necessary to get them to the farm, factory or office. All that for a glass of milk.

It would be impossible for a dairy to be expected to know the entire interdependence and provenance of the supply chain. It should know where it is getting its feed, its machines and understand how transport to the processor works, as well as have some insight into the risks associated with at least those infrastructures. Is the feed safe? Has it been contaminated? Is the supply reliable? Do I have a backup supplier for feed, and is their feed safe? Things like that.

Know Your Risks

For any company, then, the first step in “supply chain” security is to attempt to identify the critical supply chain and the risks and impacts associated with supply chain failures. Failures can include disruption (e.g., your essential product is on a ship blocked in the Suez canal), contamination or general lack of protection.

Typically we look at what we call CIA: Risks to confidentiality, risks to integrity and risks to availability. So, look at what your business is and what it is dependent upon. Identify the key players in your risk environment—vendors, suppliers, communications, Internet, transportation, etc. Include those with access to your computers and networks, cloud providers, service providers and others. Essentially, what you need to stay in business. Upon whom are you dependent?

Reps and Warranties

Supply chains, at their core, involve relationships. These relationships are frequently defined by contracts that can be express or implied. When you buy a CAT-6 cable from your local Staples, Best Buy or even drug store, there is an expectation (by you) that the cable will not only do what it is supposed to do but also that the cable does not have a surveillance chip in it that is designed by the GRU in Russia to send your communications to someone in St. Petersburg.

You expect that the local CVS bought the cable from a reputable supplier, who bought it from a reputable manufacturer who, in turn, maintained control over the process of manufacturing and transportation to market. You also expect that CVS had some process to prevent someone from walking into the store and swapping out “real” CAT-6 cables for these “enhanced” cables. You expect supply chain security. But, from a legal standpoint, is this expectation reasonable? After all, there’s no formal contract between you and CVS. You just bought a cable.

The sales transaction is generally covered under Uniform Commercial Code Section 2. When you sell something, you don’t just sell the product. You warrant and represent that the thing you are selling is free from “defects,” that it is what it purports to be, and that it is “fit” for its intended use.  A breach of the supply chain that alters the character of the goods sold may result in a breach of the warranty of fitness or other warranties and expose you to liability just as much as if listeria sickens people who drink a tainted glass of milk. Thus, supply chain security is necessary in order to live up to express or implied warranties about products or services. If you agree to paint someone’s house, and you can’t get paint because the paint company’s product is on that same barge in the Red Sea, you may be liable for breach of contract. In more formal contracts, you may be committed to delivering a product of a particular quality at a particular time and supply chain security problems may result in your breach of these agreements. Additional liability may be imposed under a tort theory. Companies that fail to protect their supply chains may be deemed to be reckless or negligent and may have a duty to vendors, suppliers or consumers to do what they are supposed to do.

Pushback

A supply chain is, by definition, an interdependency. The problem with using either contract or tort law to enforce supply chain security is that, to sue under contract you often have to be in “privity” of contract—you may have to be a party to the contract or the recipient of the promise. The company that buys the “defective” CAT-6 cable can likely sue CVS, but can they sue the trucking company that delivered the cable, the company that heat-sealed the cables, the company that manufactured them or the engineer that designed them under a breach-of-contract theory? Probably not. Even under a tort theory (negligence), to be successful, an injured party would have to show that the party that failed to secure the supply chain had some duty of due care to them and that it was reasonably foreseeable that they would be harmed as a result. Could a person who was unable to get life-saving medicine at the local Eckards drug sue the operator of the boat which clogged the canal (even if the boat had no medicine on it?) Supply chain tort liability is probably broader than contract liability, but there are significant limits to who can be sued and for what. This is significant because liability—and potential liability—drives action. If you have liability for a supply chain failure, then you will expend resources to mitigate that risk. If not, then you might not.

Get it in Writing

In the short term, the most effective way to mitigate supply chain security is to (1) identify your supply chain of products and services; (2) identify the risks associated with those vendors or suppliers on that supply chain and (3) obligate those in the supply chain to take reasonable steps to both mitigate their risks and identify and mitigate the risks associated with their supply chains. It’s an endless game of finger-pointing.

In contracts, purchase orders, statements of work or other legal arrangements with critical providers, you need to identify what you want them to do from a supply chain, security, availability and confidentiality standpoint; what standards you want them to adopt, how you want them to certify or audit compliance and what consequences will enure if they fail to comply. You also want to identify any regulatory supply chain or security requirements that you expect them to comply with. In addition, you want them to “push down” these requirements on any of their vendors or suppliers (or at least those that are critical to your process) and impose liability to your vendor if their vendor fails. This will also mean that your vendors and suppliers will seek to impose the same standards on you—and you need to be prepared to meet these challenges.

With great power comes great responsibility. Supply chain security is monumentally difficult. For the short term, it is important for companies to identify critical dependencies in their supply chain and prepare for resiliency of those supply chains while imposing both duties and liabilities on those upon which they depend. This will take time, energy and resources—as well as careful negotiation and drafting. In the end, however, it may be the difference between having or losing a company and having to cry over spilled milk.

Featured eBook
7 Must-Read eBooks for Security Professionals

7 Must-Read eBooks for Security Professionals

From AppSec to SecOps, Security Boulevard eBooks deliver in-depth insights into hot topics that matter to the Cybersecurity and DevSecOps professionals. Our staff of writers are the best in the business, with decades of practical and award-winning experience and credentials. We are excited to share our 2019 favorites. Take a look and download some of ... Read More
Security Boulevard
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 167 posts and counting.See all posts by mark