- BlogInfoSec.com - https://www.bloginfosec.com -

Outsourcing, Supply Chains and (National) Security

For all intents and purposes, the terms “outsourcing” and “supply chain” are used interchangeably and refer to when you are dependent on a third party for providing products and services. However, there are many examples of internal sourcing (or “insourcing”), where supply chains consist of entities and processes under the direct internal control of an organization, and these should be considered along with external suppliers, especially when they are not co-located. We consider any situation that includes some form of dependency to be within the scope of this discussion of how such dependencies might endanger physical and cyber security, particularly relating to national security.

The coronavirus pandemic has laid bare the downside with respect to outsourcing critical products and services internationally by U.S. companies and government agencies. These revelations were bound to come to light eventually—the pandemic has merely accelerated and intensified the security threats from such ill-advised activities. Some of us have been waving red flags for decades about the cybersecurity risks of global outsourcing (and of outsourcing in general).[i] [1] But it took the pandemic catastrophe to raise concerns sufficiently for action. Now, we are seeing a slew of articles bemoaning our failure to consider and allow for personal and national security consequences due to farming out vital manufacturing and services to third parties both domestically (especially foreign-owned companies) and in other parts of the world..

The initial obvious risk was that of depending on predominantly Asian countries for medical PPE (personal protection equipment), i.e., surgical masks, gowns, gloves, etc., for critical medical equipment such as ventilators, swabs, reagents and more, and for life-saving medications, particularly generic pharmaceuticals. While such deficiencies are profoundly serious and have cost many lives, they pale in comparison to threats on critical infrastructure and military systems.

I recall an article by John Markoff in The New York Times of October 26, 2009, with the title “Old Trick Threatens the Newest Weapons,” in which the reporter notes that “… the Pentagon now manufactures in secure facilities run by American companies only about 2 percent of the more than $3.5 billion of integrated circuits bought annually for use in military gear.” Markoff goes on to write that “… current and former United States military and intelligence agency executives … argue that the menace of so-called Trojan horses hidden in equipment circuitry is among the most severe threat [to national security].” That was more than a decade ago. Surely, we are in much worse shape today.

As increasingly bellicose confrontations between the U.S., China and other countries have evolved, it appears that the Administration suddenly became aware of the U.S. dependency on foreign products that are integral to the operation of the electrical grid. This resulted in the May 1, 2020 Executive Order (EO) 13920[ii] [2] on securing the American bulk power system. The EO suggests bringing back to the U.S. the manufacturing of power-grid equipment that has been outsourced abroad.

While the EO is an important step in moving towards self-sufficiency with respect to critical power systems, it indicates a lack of understanding of the scope, difficulty, cost, time, and effort involved. An article on the problems of bringing manufacturing back supports the idea that this is a huge multi-hundreds-of-billions of dollars project that could span many years.[iii] [3]

There are equally, if not even more, disturbing deficiencies in supply chains—not only in the susceptibility of supply chains to disruptions, but also reliance on products and services crucial to our national security. My book[iv] [4] calls out many of the risks associated with outsourcing, particularly as they relate to information security (now more commonly known as cybersecurity). It is clear from how global outsourcing has evolved that many of these risks have been ignored. Here is a selection of examples of the risks covered in the book:

There are others, of course, but these capture the essence of what I was trying to get across. When you outsource manufacturing and services, you take on risks that you may not have even considered. If you had, you may not have made the decision to outsource certain critical capabilities, particularly if there were an impact on national security.

A vital takeaway from our experiences with the pandemic is the recognition that personal security and national security need to be considered when any outsourcing decision is made. Even if it takes much more money and effort than would ignoring these issues, it can end up much less costly in lives and independence. By allowing so much of our manufacturing capabilities to be in the hands of others, who might become adversaries at any point in time, we have given up much of the security needed to remain an independent country. Let us hope that the lesson has been learned and that we will move with alacrity to shore up our defenses.

[i] [5] C.W. Axelrod, Outsourcing Information Security, Norwood, MA: Artech House, 2004.

[ii] [6] Executive Order 13920, May 1, 2020. Available at https://www.federalregister.gov/documents/2020/05/04/2020-09695/securing-the-united-states-bulk-power-system [7]

[iii] [8] W.C. Shih. “Bringing Manufacturing Back to the U.S. Is Easier Said Than Done,” April 15, 2020. Available at https://hbr.org/2020/04/bringing-manufacturing-back-to-the-u-s-is-easier-said-than-done [9]

[iv] [10] Op. cit.