The Supply Chain Problem and Cyber Security

The Supply Chain Problem

A few weeks ago, an article from Nextgov, a website dedicated to “how technology and innovation are transforming the way government agencies serve citizens and perform vital functions,” described recent efforts by DHS to address cyber security risks as they relate to supply chains.  The article quotes Jeanette Manfra, the head of DHS’s Office of Cybersecurity and Communications, who explained that “[t]he program’s major goals are to identify the greatest supply chain cyber threats, figure out if there are technical ways to mitigate those threats and, if not, figure out other solutions.” But other than barring companies with weak supply chain security from government contracts, no other solutions were mentioned. Below I look at what a cyber security supply chain policy might encompass.

One of the more prominent supply chain incidents in recent memory involved Hewlett Packard Enterprise, who, in an effort to expand its business, offered a Russian defense agency an inside look at a program called ArcSight.[i] The problem, however, was that ArcSight is a program that is heavily relied on by the Pentagon.[ii] The program is a “cybersecurity nerve center” that sends alerts when it detects a potential attack on a network.[iii] The program is also used frequently by private sector companies.[iv] By providing the program code to Russia, HP not only created a vulnerability for the United States but exposed that vulnerability to the most notorious cyber threat to the U.S. in recent years.

Another example of the cyber supply chain problem occurred several years ago with the United States Air Force. The Air Force had contracted with a vendor in an Asian country to produce hardware for one of the Air Force’s systems.[v] When the hardware arrived in the U.S. and was reviewed by the Air Force, however, they found that the chips contained an extra transistor. While the chip performed its intended function, the Air Force could not decipher what else the piece would do with the extra transistor. As a result, that batch of hardware was disposed of and never installed.

These two examples highlight the breadth and depth of the challenges regarding supply chains and cyber security. Supply chain security implicates hardware and software, public sector and private, and in these two instances, Asia and Russia. The Air Force was fortunate enough to find the altered specifications in its hardware, and reports so far suggest no harm has come from Russia’s ArcSight review.

Every point in every supply chain presents a weakness for that product’s cybersecurity. Every individual human that comes into contact with every component piece of hardware or software is a potential threat.  The threats to the supply chain include:[vi]

  • Installation of hardware or software containing malicious logic
  • Installation of counterfeit hardware or software
  • Failure or disruption in the production or distribution of critical products
  • Reliance on a malicious or unqualified service provider for the performance of technical services
  • Installation of hardware or software that contains unintentional vulnerabilities

All of these create potential weaknesses that can be exploited at a later point in time. Vulnerabilities could be exploited to steal sensitive information. Anything that program does could send a copy of that data to a third party. A vulnerability created by a nefarious actor somewhere in the supply chain could be a switch that lies dormant until activated when it would disable the system. Depending on what system that might be, there could be devastating consequences.

Two major concepts underlie the cyber supply chain security issues in the United States: (1) the United States technology sector is dependent on hardware components manufactured all over the world; and (2) the United States government is heavily dependent on commercial off-the-shelf cyber programs.

The United States, both its government and its private citizens, has become increasingly dependent on an intricate global economy. This is particularly true when it comes to technology, as the cost of manufacturing in the U.S. has led to increases in outsourcing. For example, the production of one iPhone involves component parts made in the U.S., South Korea, Taiwan, Japan, and Germany that are all ultimately assembled in China.[vii] The diagram below shows a similar analysis for a standard laptop, whose component parts may come from as many as twenty different countries.

If the U.S. cannot efficiently produce handheld cell phones without the help of the global market, it certainly cannot build weapons and defense systems on its own. The federal government relies heavily on contractors for both sensitive national security products and its day-to-day functioning. The federal government spent over $500 billion on contractors in the year 2012.[viii] The Department of Defense accounted for 70% of that number, or $350 billion.[ix] The actual number of contractor employees the government currently employs remains unknown.[x]

The U.S. government and military in particularly rely heavily on commercial off-the-shelf (COTS) programs. The military relies on COTS based programming for data storage, networking, and as was evident from the ArcSight incident, security.[xi] These applications are utilized for all of the military’s functions including, command and control, communications, intelligence, and surveillance among others.[xii] One market analyst projected that while the overall market for C4ISR will remain flat, the amount spent on COTS applications will continue to increase.[xiii]

One problem with COTS is evident in the ArcSight problem. A private company whose main goal is to maximize profits will naturally try to expand its share of this market. Thus, the very same program used by the Pentagon will also be in the hands of not just American corporations in the private sector but also foreign businesses and governments. One report highlights five distinct reasons why COTS programs are high risk when it comes to cyber security:[xiv]

  • COTS software presents an attractive point of attack – Cracking the security measures imposed by the “experts” are a better prize for hackers and these breaches will typically garner more attention.
  • COTS products are well known and widely available – These systems are easily accessible both for experimentation and for finding an actual system to hack. Moreover, vulnerabilities about these programs are frequently shared among black hat hackers.
  • It is difficult to verify the security of COTS products – Purchasers have to rely on the reputation of the provider and are typically not able to verify security code, etc.
  • COTS software vendors have very limited liability – Customers typically agree to terms in purchase agreements that waives liability for vendors.
  • COTS software is generic – The applications are rarely designed to address the specific needs of the purchaser and thus does not address every vulnerability.

It is nearly impossible to verify the integrity of an entire supply chain. This is true regardless of the product at issue, whether it is hardware, firmware, or software. Every time you purchase or acquire a product, you assume a some level of risk when it comes to that product’s quality and security. As a purchaser, you likely can only be directly connected to the participants in the immediate supply chain. What you can’t see, however, is who supplied his or her suppliers, and who supplied their suppliers, etc.[xv]

Likewise, it is nearly impossible to verify the integrity of an individual product or component part. The distinction between a product built to the appropriate specifications and one that has been altered could be, quite literally, microscopic. For example, the extra transistor that the Air Force found it that set of chips was only visible with a microscope. The same could be said for any software and its code. A tiny alteration could create a major vulnerability. Between the detailed level of inspection that would be required and the sheer number of products, a security review of individual products is not a realistic option.

Building a Policy Solution

The first step in trying to remedy supply chain cyber security issues is to consider how to increase the security itself. I identify four main options below.

  • Increased Domestic Manufacturing. The U.S. is unlikely to change the global economy and shift all the world’s manufacturing to the U.S. While bringing jobs back to the U.S. is common political rhetoric, it is unlikely to occur on a scale that would drastically affect supply chain security. Regardless of its likelihood or efficacy, increased manufacturing in the U.S. is one potential policy option for improving supply chain security.
  • Vet Individual Component Parts. A second option would be to vet every component product in every supply chain. Regardless of where a component originated, it could be reviewed for vulnerabilities and weaknesses. An alternative would be to review only a portion of components and products that are deemed to be the most critical. Again, this would be a nearly insurmountable task. Massive amounts of time and money would be spent for a negligible gain in security.
  • Eliminate or Minimize COTS. A third possibility would be to eliminate, or minimize the use of COTS. As explained above, COTS are a prime target for hackers and have several weaknesses. Designing and implementing unique products would raise costs but increase security. After all, any increase in security will not come without a price.
  • Find a technological solution. Another option is to find a technological solution. This is well beyond my expertise, but the option has been explored previously. One proposed solution to the Air Force’s problem was an algorithm that would detect inconsistencies in what a component was designed to do.[xvi] If this could be developed, the technology would be a cost-effective means with which to vet products.

The second step would be to determine the scope of the policy. That is, we must consider what the exact target of the policy is. I again broke this down into four major options, starting with the most expansive approach and narrowing in scope from there.

  • The Entire Country. The first option would be to try to achieve perfect security throughout the entire country. This could be done either by attempting to create a perfectly secure supply chain or to implement a review process at the end stage of each chain. As discussed above, shifting manufacturing to the U.S. or vetting components is completely impractical. The costs of any of these endeavors would be exorbitant.
  • Government Supply Chains. The second option would be to focus on just the government’s supply chains. Companies and individuals would be left to conduct their own risk-utility analysis and decide whether a certain product was worth the risks that come with it. The government could then focus on securing its own supply chains and protecting the national interests in that way. But this still presents a major challenge. Even with eliminating the private sector, the U.S. government is a massive entity. Further, its heavy dependence on COTS means that the government’s supply chains are still inherently intertwined with those in the private sector. Thus, any attempt to secure the government’s supply chains while leaving the private sector to fend for itself would still be futile.
  • National Security and Military Supply Chains. The third option is to secure only the most vital and most sensitive supply chains that the government relies on, i.e., the national security and military supply chains.[xvii] Focusing time and energy on securing the most critical supply chains would be a less insurmountable task than the previous options. The supply chains for military intelligence, weapons systems, and the like are the ones that could lead to the greatest harm for the U.S. if vulnerabilities were to be inserted and exploited. This military and national security apparatus is still a massive entity with infinite supply chains, but the scope of this challenge is manageable given the high stakes if nothing were to be done.
  • Do Nothing. The final option is to do nothing. Decision makers could come to the conclusion that the problem is simply too complex to attempt to fix or that the market may develop a solution on its own. While the do nothing option is often the default choice given the current state of politics, it is not a realistic option. The potential harm that could result from the lack of supply chain security is too big to ignore. If no action is taken, it is not a question of if, but when, a supply chain vulnerability leads to a catastrophic cyber incident.

The third and final step is to determine how the policy will be implemented and enforced. Here, I identify three options.

  • Legislation. The first option is Congressional action, but legislation is a lengthy process that may never come to fruition. Hot button issues rarely make it through the deliberative process, so something as mundane as supply chain security likely won’t garner enough attention to motivate Congress.
  • Executive Order. The second option would be for the President to administer an Executive Order detailing what is required of the aforementioned national security and military agencies. This would allow for a coherent, top-down policy that would be established with a stroke of the President’s pen. Executive Orders, however, often are general statements and gaps will have to be filled in through administrative regulations.
  • Administrative Agencies. The third option is to let those same national security and military agencies administer their own administrative regulations. The downside to this would be a disjointed policy across agencies. Moreover, agencies may not have a sense of urgency to implement the policy and could drag their feet.


I think the best cyber supply chain security policy would come in the form of an Executive Order that focuses only on national security and military departments and agencies. As far as the substance of the policy, I think it can incorporate several of the security-advancing strategies discussed above. The Executive Order should have three major components:

  1. The appropriate national security and defense agencies should be prohibited from buying COTS applications. Instead, contractors working with the national security industry should be required to have a version of products that is “military grade” and cannot be sold anywhere else.
  2. The Executive Order should mandate that preference for awarding contracts should be given to those private companies that can verify the integrity of their supply chains. The integrity of the chain would involve an analysis of where the product was made and if, when, and by who the product was ever examined for potential vulnerabilities.
  3. The Executive Order should mandate research into a potential technological solution that may aid in this process.

I believe an Executive Order of this nature would establish a coherent policy that focuses resources in an effective manner on the most critical portion of the United States government.

[i]               “Special Report: HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon,” Reuters (Oct. 2, 2017),

[ii]               Id.

[iii]              Id.

[iv]              Id.

[v]               The facts of the Air Force narrative are from a series of conversations with Professor William C. Snyder, who had substantial knowledge of that situation’s details.

[vi]              Id.

[vii]             Cyber Supply Chain Security: A Crucial Step Toward U.S. Security, Prosperity, and Freedom in Cyberspace, Heritage Report, (Mar. 6, 2014)

[viii]             Letter from Douglas W. Elmendorf, Director, Congressional Budget Office, to Chris Van Hollen, House Committee on the Budget, March 11, 2015,

[ix]              To break that number down even further, DOD spent 42 percent of its contract funds on services, 49 percent on products, and the remaining 10[sic] percent on research and development. Id.

[x]               The number of individuals employed as contractors may simply be too large to calculate across the entire federal government.  See Alyah Khan, “How many contractors does it take to make the government work?” Washington Technology, July 11, 2011, (Explaining that individual agencies do not maintain head counts on how many contractors they employ). The federal government produces a yearly report of its Top 100 contractors. This report is a good indicator of just how expansive government outsourcing has become. Federal Procurement Data System, “Top 100 Contractors for FY 2015,”

[xi]              Use of COTS components on the rise in U.S. military communications and surveillance applications, Military Aerospace,

[xii]             Id.  Command, control, communications, computers, intelligence, surveillance, and reconnaissance are collectively known as “C4ISR.”

[xiii]             Id.

[xiv]             Craig Miller, Security Considerations in Managing COTS, (revised May 14, 2013),

[xv]             GAO 12-361, IT Supply Chain: National Security-Related Agencies Need to Better Address Risks,

[xvi]             Conversation with Professor William C. Snyder, supra at note 5.

[xvii]            Probable candidates for this would include the Department of Defense, the Intelligence Community, and the Department of Justice, among others. This still leaves a huge amount of work. It would likely be necessary to choose specific programs and products within those agencies and departments to further narrow the scope and make the policy goals more attainable.


Tags: , , ,

Leave a Reply

You must be logged in to post a comment.


Untitled Document
Professor William Snyder

Professor William C. Snyderis a member of the faculty of the Institute for National Security and Counter-terrorism at Syracuse University after fifteen years with the United States Department of Justice.

Ryan D. White

Ryan D. WhiteRyan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic. Full biography

Shelby E. Mann

Ryan D. WhiteShelby is a second year law student at the Syracuse University College of Law. She is the 2018-9 Editor in Chief of the Syracuse Law Review, as well as a member of the Journal on Terrorism and Security Analysis, and the senior editor for the Syrian Accountability Project. During her final year at the University of Missouri, she served as a full-time news producer for ABC 17 News. Shelby spent her first summer of law school at the Shelby County District Attorney General's Office in Memphis, Tenn., in the Public Corruption and Economic Crimes Unit. Full biography

Christopher w. FolkChristopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law. Full biography

Anna Maria Castillo

Anna Maria Castillois 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review. Full biography

Jennifer A. CamilloJennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. PistoreseTara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.) Full biography