State and local procurement staff must diversify their supply chains, mitigate third-party risks and create transparency in their systems by identifying and prioritizing the protection of their most important assets, experts say.
State and local procurement officials must understand they have a crucial role in protecting technology supply chains from cybersecurity attacks, two experts said during a podcast hosted by the National Association of State Procurement Officials (NASPO).
The professional procurement officers are "the tip of the spear" for addressing this threat, Russell Porter, a senior executive at the National Counterintelligence and Security Center (NCSC), said during a recent “NASPO Pulse Podcast.”
News reports about third-party risk in the supply chain have been rampant. Dugan Petty, education and outreach coordinator for NASPO and former CIO for Oregon, noted that more than 3,000 articles have been published about the SolarWinds hack since it happened in 2020.
“We now know that our contracting avenue has become a threat vector for attacks,” Petty said. “Eighteen thousand customers unknowingly installed malicious code with a trusted supplier that’s a good supplier. That’s shined a light on something that’s been around forever, it just hasn’t been exploited.”
Porter said these activities are part of what’s known as the Gray Zone that includes things such as election meddling, assaults on critical infrastructure, disinformation campaigns and propaganda – anything that undermines confidence and trust in democracy.
Although these threats weren’t blinking red on his radar when he worked in state and local government, they should be now, Porter added.
“I want to disabuse people of the notion that federal or state or local governments are not of interest to foreign intelligence threat actors,” he said.
Almost a year ago, President Joe Biden issued the “Executive Order on America’s Supply Chains,” calling for a complete review of supply chain risks and recommendations to address them, and although that’s intended for federal agencies, state and local ones can apply it, too.
“We know local and state governments don’t have the capabilities of, say, the U.S. intelligence community to understand the plans, capabilities and intentions [of foreign threats], but we can bring at a strategic level that kind of awareness to this conversation,” Porter said.
That’s why partnerships between procurement and counterintelligence official are crucial. NCSC focuses on threats from nation-states and foreign intelligence agencies and works to ensure that it conveys its understanding of what the threats are and the tools these groups use to carry them out.
“Just good advice generally is to take a good risk management approach … to make sure organizations are resilient,” Porter said. For instance, agencies should diversify their supply chains, mitigate third-party risks and create transparency in their systems by identifying and prioritizing the protection of their most important assets.
State and local entities can take advantage of other federal-level guidance from the National Institute of Standards and Technology, which has released several publications and case studies on the cybersecurity supply chain. One in particular that Petty called out is a draft revision of “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations,” released last October.
Petty said procurement officers should review that guidance and then ask if they “need to establish a cyber risk management framework in your office and understand … what the half-dozen elements of that would be. Then you should do a high-level assessment in conjunction with the state [chief information security officer to determine] what your risk levels are with your suppliers. That would give you some idea of where you want to go next.”
He also recommended putting into contracts specific controls designed to protect the supply chain that would flow down to third-party suppliers. Additionally, continuous monitoring will help ensure that what a contractor promised at the outset is still happening months or years later.
“There’s something everybody can do to help make sure the world’s a safer, better place,” Porter said. “Don’t just think about them, do them.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.