Cybersecurity was much more than a buzzword at ISM2018, as procurement professionals packed several related sessions earlier Tuesday to learn more about how they can build a defense against this intangible threat.
Throughout these presentations, a common theme emerged. Procurement may be facing numerous cyber risks as it expands its supply base complexity and adopts interconnected software systems, but it never does so alone. Rather, procurement sits at the nexus of a large number of actors who all have a stake in the security of their IT operations.
This unique position also puts procurement in full view of the evolving threats entering the supply chain. Just as procurement is opening the business to an increasingly globalized economy, it is also learning how foreign companies and governments are exploiting weaknesses in IT infrastructure, gaining access to consumer data and intellectual property in the process.
The geopolitical level of this threat means procurement now needs to construct a truly resilient cybersecurity strategy. To do that, the function will need to tap its strengths in relationship management to get internal stakeholders, suppliers and the federal government all on the same page, coordinating these parties to proactively identify vulnerabilities and collectively mitigate threats as they arise.
Nature of the Threat
Cybersecurity today presents an enormous risk to supply chains. As Zachary Rogers, assistant professor of operations and supply chain management at Colorado State University, explained in a CAPS Research session Tuesday, the total cost of cyber breaches is expected reach to $2 trillion in 2019, a 144% increase from merely $18 million in 2010.
This is in large part due to the increasingly complex nature of corporate supply chains. While many in the broader business community assume that cybersecurity rests solely in the domain of IT and the CIO, this is no longer the case, Rogers said. A growing number of cyberattacks today happen not because enterprises haven’t put necessary IT security systems in place but because of the indiscretions of suppliers one step down the supply chain.
One poignant example Rogers mentioned was Target’s 2013 breach. In this case, Target’s HVAC supplier, Fazio Mechanical Services, was victimized by malware-laced emails. A small company compared with its household name customer, Fazio’s cybersecurity measures consisted of a free version of anti-virus software.
The offenders were able to obtain the login credentials of Fazio employees through compromised emails, which the hackers then used to access Target’s supplier portal, posing as Fazio. While inside Target’s system fraudulently, the hackers stole credit card data for millions of consumers and cost the retailer $162 million in the process.
This cybersecurity parable is the most common kind of breach CAPS found in its study of the risk. The method, known as the “supplier backdoor,” makes sense from a criminal perspective. Hackers are looking to “figure out the path of least resistance,” Rogers said, and “often it goes straight through a supplier” without the means or protocols necessary to defend against an attack.
So even if IT is on top of its own cybersecurity strategy, technology alone will not be enough. Just as a supply chain is only as strong as its weakest link, a cybersecurity network is only as sound as its least secure node.
Part of the reason companies’ far-flung supply chains have become less secure is because the adoption of technology has increased faster than policies to keep it safe. As retired Gen. Keith Alexander, former director of the National Security Agency, explained in a keynote conversation Tuesday with former CIA director John Brennan, mediated by ISM CEO Tom Derry, even companies that have a proactive mindset toward cybersecurity can have numerous vulnerabilities that they haven’t even thought of.
At the heart of the issue is the sheer number of systems that companies must now track for known threats, as well as continuously scan for new vulnerabilities. Consider, for example, that the number of apps available for the iPhone in 2010 totaled around 170,000. Today, iPhone users have their pick of more than 6 million options.
Because of this, even companies that are doing a decent job preparing a cybersecurity strategy can still be exposed. Alexander, who now does consulting on the subject in the private sector, said that one 2,500-person company he worked with had 50 different systems in place to detect breaches. Yet Alexander’s analysis still identified more than 400,000 additional vulnerabilities the company hadn’t yet addressed.
A Geopolitical Threat
As the amount of technology available, along with the data created by this technology, doubles every two years, so too does the potential for breaches. But perhaps even more concerning is that companies are not facing off against just malevolent hacker groups. Rather, their more daunting threats are other international corporations and rogue foreign states.
China and Russia are the two most prominent threats Alexander and Brennan focused on in their discussion.
With the China, the major risk is loss of intellectual property, as manufacturers and technology companies there try to gain a competitive edge over their American counterparts without investing the time and dollars in R&D to do so independently. Remedies are harder to come by, however, as the U.S. and Chinese economies are deeply integrated.
“We’re not going to be able to separate our economic fortune from a country like China,” Derry said of the potential risks. “So it will be necessary to allow for nuances in policy there.”
Russia presents fewer economic barriers to action but a frustratingly complex approach to threat mitigation. As Brennan explained, Russia likely executes its cyberattacks by collaborating with organized crime rings to both augment the government’s own capabilities and also operate more covertly.
Because the attacks are not always coming from government institutions, it can be difficult for security agencies to identify the instigator behind an attack. This gives countries like Russia plausible deniability, helping the government differentiate who is responsible for authorizing and executing an attack.
“We can’t yet tell if a state leader like Putin authorizes such attacks or if they are run independently,” even if the state is somehow involved, Brennan said.
Relationships at the Heart of Cybersecurity Strategy
Because of the nation-state level of this threat, both Alexander and Brennan emphasized the need for stronger public-private partnerships between industry and government.
In the system they imagine, both former officials said the government would maintain its responsibility to take the lead in cybersecurity, while industries would help create the regulatory and information sharing structures that will help the government manage threats more effectively.
Alexander compared the situation with airspace regulation. For air traffic, radar constantly scans an area to make sure planes don’t crash into each other. In cyberspace, however, data flies around even faster and to many different places. Yet cyberspace is not secured or regulated the same way airspace is, so the government has little visibility into how companies are passing information back and forth, weakening their ability to stop cyber planes from colliding before it’s too late.
The challenge, of course, is building a mutually beneficial relationship that would allow both parties to cooperate. Corporations may be glad to have the extra cybersecurity support, but not if that support is also looking to read up on what the business is doing while it’s in the system.
“It’s not the technology that is the big hurdle but building the trust necessary to get governments and companies to work together,” Derry said.
Given the increased presence of cybersecurity threats are emanating from the supply chain, procurement organizations may be a key player in establishing that trust.
Just as when managing suppliers, procurement will have to define what its desired relationship with government agencies will be, where it will work with IT to set up permissions for access and how it will share information about suppliers with the government when partners are compromised.
Accordingly, strengthening the relationship between and aligning objectives with internal IT groups will be essential for procurement to handle cyberattacks. When working with potential suppliers, particularly those offering software services, it is essential that IT has its say in the selection process, so that it can put potential providers through the ringer and help define appropriate security contracts that should go into supplier contracts.
The increased need for complex supplier management requirements has thus made supplier relationship management software an even more critical capability for procurement organizations. Cybersecurity preparedness should become an important part of supplier scorecards as this threat evolves, CAPS’s Rogers said, just as sustainability became a focus for procurement groups 10 years ago. The results of doing so could be compelling.
Case in point, Target was not the only large retailer that used Fazio for HVAC services. Walmart was a customer, too. But whereas Target gave all of its suppliers equal levels of access to its systems using their login credentials, Walmart took a more fine-grained approach, allowing suppliers to access only areas of its business that they directly served.
A more proactive vendor management approach prevented a hacked Fazio from breaking into Walmart’s systems. The result: $0 lost in the process.