The national cybersecurity threat level is evolving, and government officials are calling on industry to better secure the internet of things and connected devices as they continue to enter government networks.
Securing devices starts with focusing on each component and subcomponent of the end product when building a critical infrastructure, according to Dean Souleles, chief technology officer for the National Counterintelligence and Security Center in the Office of the Director of National Intelligence.
“You have to think of the supply chain because this all comes down to what we’re purchasing, or what we’re putting into our facilities,” Souleles said in a panel at the Institute for Critical Infrastructure Technology Forum on June 7 in Washington, D.C. Part of this means having a supply chain risk management process that includes software supply chain.
Every component of a product becomes a vector vulnerable to cyber threats. From a national security perspective, the private sector is then, too, a target of nation-state actors.
“It is really incumbent on us as a community to come together and think about that,” Souleles said.
Yet, Souleles admits, “government can’t do a lot” to close these vulnerabilities along the supply chain. It can influence through its purchasing power and ensure contracts include cybersecurity regulations or requirements, but Souleles added, “It really is up to industry to figure out a way…I would challenge [industry] to find a way to turn cyber safety of your product and services into a brand.”
Mike Buchwald, career attorney in the National Security Division of the Justice Department, said tackling these threats also comes down to a “push and pull” concept.
“How can we push and educate the private sector at the same time that you all are educating the government,” he said on the panel. The government needs to learn about how industry is using IoT and about threats as they evolve, and push the private sector to adopt some baseline security standards.
The “pull” lies with federal procurement dollars. Buchwald reminded the audience of the potential influence the government can wield based on its enormous technology budgets. The government should have input into how connected devices should be secured. Buchwald is talking with other agencies and departments to explore how to use that purchasing power to change the marketplace and get people thinking about security.
“From the top of your organization to the bottom of your organization, from the CEO to the service desk, you have to make this concept of protecting critical infrastructure a core mission value,” Souleles said
Economics 101 teaches an infinite number of people have a hand in the production of a simple pencil, each vulnerable to a cyber threat. Securing the weakest link in the supply chain is difficult, but crucial to securing the final product.