9 December 2015

Supply Chain Security

You would probably be surprised to know what a logistical feat it is to manufacture a smart phone. The base materials are mostly silicon, plastic iron, aluminum, copper, lead, zinc, tin, and nickel. There are also a number of rare earth elements that are present in small amounts but are integral for the phone to function: neodymium, dysprosium, and many lanthanide elements. Once these materials have been collected and processed, they need to be made into the phone itself. After the phone is built, it must be programmed with the software that lets it run. The vast majority of this process takes place outside of the United States—with the assembly and initial programming usually happening in Asia and the base materials coming from all over the world—and it constitutes just a small part of the global supply chain that underlies a huge portion of our information technologies. It is truly an incredible feat of logistics, and every step of the process is vulnerable to events that can damage both the product and the enterprise.

To begin with, the base materials for most modern technologies are mined or in the developing world. This can sometimes lead to companies running afoul of international labor standards. These compliance issues usually result from operators on the ground mistreating workers in the developing world in order to keep costs low. Apple has come under fire for this on several occasions, including after a 2014 BBC report accused Apple’s assembly plants in China of perpetuating inhumane working conditions and its tin suppliers in Indonesia of using child labor. Apple has been able to avoid serious reputational harm from these criticisms, but not every organization will be able to do the same. Ensuring compliance with labor standards is an essential part of managing supply chain risk and protecting one’s business.

There is an even larger problem that can arise from the use of third parties. Third party companies are an intrinsic part of many supply chains, but they represent a considerable point of vulnerability. A given organization may take its cybersecurity very seriously, but if it is working with a third party that does not, then hackers can use the latter to access the former. The Office of Personnel Management hack is an excellent example of this. OPM used a third party contractor, KeyPoint Government Solutions, to manage some of its work processes. The hackers who would eventually breach OPMfirst breached KeyPoint, and by doing so, they gained access to the credentials which allowed them to access information about millions of American citizens. A weakness in the security of any part of a supply chain can ripple the rest of the way down, and organizations need to take that into account in order to properly manage their risk.

There is also a more malicious threat to supply chains in the form of bad actors that are able to embed themselves into the production process itself. In the cyber realm, this kind of threat manifests through bad actors putting malware into the pre-installed software of the device itself. Android encountered this exact problem in 2014, when it was discovered that the Netflix app that was pre-installed on some of their phones was actually forwarding credit card information and passwords to Russian cyber-criminals. Just as with unsecured third parties, problems like this can have a strong effect on consumer confidence in a product and could potentially have implications on national security, given the amount of defense-critical information technologies that are constructed outside the U.S.

Due to these and other threats, supply chain management is an essential part of maintaining the overall security of an enterprise. 

Luke Penn-Hall is the Cyber and Technology Producer at The Cipher Brief.

No comments: