Understanding Threats to the Public Sector IT Supply Chain

November 29, 2018

The U.S. government’s software and hardware supply chain is a complex, globally sourced entanglement of code and components from third-party manufacturers and service providers, potentially creating a vast exploitable attack surface. Since third-party components are often baked into mission-critical applications or servers, security managers may be deterred from auditing them in order to avoid downtime.

As a result, Flashpoint has decided to examine this issue in depth. Our latest research paper, Understanding Threats to the Public Sector IT Supply Chain, addresses the security risks innate to the public-sector IT supply chain and their effect on the integrity and availability of federal systems and data. The report also examines recent examples of these risks manifesting themselves, an overview of essential regulatory guidance and oversight, and ongoing legislative efforts to curtail these risks.

Supply-chain vulnerabilities in particular have contributed to a number of attacks that have brought critical services to a standstill. For example, in October 2016, the Mirai DDoS attacks that led to the shutdown of a number of high-profile websites and critical web-based services were fueled by a vulnerability attributed to an upstream supplier of IoT device components. For public-sector entities, the potential disruption caused by successful exploitation of a supply-chain vulnerability could have disastrous economic and national-security ramifications.

Geopolitics are also a concern for the country’s public sector IT supply chain, particularly due to the large number of third-party IT suppliers and manufacturers based in countries with which the U.S. has or has had a history of tense relations. In addition to cyber espionage, other areas of concern pertaining to overseas suppliers and manufacturers include varying regulations, levels of government oversight, and with some countries such as Russia and China, limited privacy rights.

Such risk is unacceptable for the federal government, and efforts are currently underway to mitigate it through a mix of policy, processes, and technology. As a result, on Oct. 30, the U.S. Department of Homeland Security established the nation’s first task force for managing the risk of foreign adversaries, hackers, and criminals targeting government entities through contractors, subcontractors, and suppliers.

Our paper covers all of these issues and more, including a list of unacceptable risks as deemed by the U.S. government, as well as a review of existing regulatory guidance and pending legislation addressing supply chain risks. 

For the full Flashpoint analysis, download the report.