Key findings of a Rand Corporation report include:
- Cyber-related risks could be worse and different from other types of supply-chain risks
- Preventive measures are insufficient
- Cyber supply chain risk management (SCRM) needs more than an amalgam of cyber and SCRM
- Private-sector risk management may not meet national security requirements
Researchers found that cybersecurity and supply chain risk management are often at odds. Trade-off understanding will allow the Defense Department to secure its supply of defense industrial products, according to the RAND report.
Interestingly, the results are not intuitive. With conventional SCRM, supply chains are typically made less risky by adding more suppliers and bringing in more businesses. However, from a cyber perspective, this increases points of attack, bringing in more members with more vulnerabilities and shared vulnerabilities.
When assessing cyber-related risks, researchers found that the damage cyberattacks can inflict on supply chains is significantly worse than and different from the damage conventional hazards present to defense industrial products. It can unfold over time and be completely invisible, or the consequences can be immediate.
The researchers found evidence that the private sector may not invest in cybersecurity enough to meet national security needs. There’s a significant difference between business and national security environments.
The new report came out at the same time the Defense Department released its proposed regulations for the Cybersecurity Maturity Model Certification (CMMC). The program is designed to help the Defense Department assess whether contractors and subcontractors meet cybersecurity requirements when sharing sensitive, unclassified information on their networks.