When most people discuss the topic of supply chain the conversation mostly involves ships, trains, and trucks. These vast transportation networks move items from place to place with threats such as hurricanes, train derailments, civil unrest, or factory fires. These are all important and serious concerns, but I believe the time has come for the conversation on supply chain to change. The conversation must shift from threats TO the supply chain to threats FROM the supply chain.

With our current reliance on the Southeast Asia peninsula for Information Technology (IT) components, IT manufacturers in the United States are in the difficult position of securing a supply chain with limited visibility and even less control. These original equipment manufacturers (OEM) spend time, capital, and resources ensuring that their devices are secure, but the sheer volume and geographical constraints makes this a challenging task at best. Think about it this way; do you know whose hands have been on your IT equipment components?

In the public sector, the challenge is exacerbated by the use of Lowest Cost, Technically Acceptable (LPTA) contracts for the procurement of ‘commodity’ IT equipment. This has the desired effect of driving prices significantly lower and the unintended consequence of allowing our adversaries to introduce counterfeit or maliciously tainted hardware into our IT environments through low-cost supply chain risk management processes. The desire to award a contract to the lowest price bidder opens the door to businesses that, either knowingly or unknowingly, deliver devices that may look like the real item but could be from grey-market (counterfeit) or black-market (maliciously tainted hardware) sources. This is a real problem that all OEMs face and battle daily.

In addition, the role of the “nation state bad actor” must be accounted for in our supply chain discussions. The recent article published by Bloomberg regarding malicious hardware chips in servers shines a bright light on the threat facing our IT Supply Chain. Direct access to components serves as a powerful and low-profile attack vector for foreign entities to subvert systems they will eventually comprise. While the full extent of this threat is still being verified, there is no doubt that serious threats from the supply chain exist, and we must be ready to face them. The supply chain has been listed at the top of several Cyber Security Threat Lists inside the public and private sector.

How do we change this? We start at the beginning. The topic of threats FROM the supply chain must occur early and be part of the procurement throughout the entire supply chain cycle. The manufacturers, distributors, value added resellers, government, public, and private companies must all understand their role in keeping our hardware and software safe. Customers buying IT equipment must insist on strong supply chain security practices. They must look at IT equipment not as low-cost commodities but as potential cyber threats.

Supply chain danger can be mitigated with holistic supply chain risk management (SCRM) practices and a focus on measurable, verifiable, and auditable data. Several U.S federal agencies are already leveraging contracts specifically designed to deal with supply chain threats. All companies supplying IT equipment should be held to high supply chain security standards. We need to have widespread adoption of standards such as DMEA, ISO 28000 Supply Chain Risk Management and ISO 20243 Mitigating Maliciously Tainted and Counterfeit Products for our supply chain to keep up with the unrelenting cyber-attacks.