720-891-1663
Return to the list of client alerts
Those of you who know me personally know that I have a “thing” about Supply Chain Risk Management (SCRM). Turns out that I am not alone. Folks as important as the Pentagon now have a whole process related to SCRM. This even includes a soon to be official list of vendors that are off limits if you want the Pentagon to use your products.
I have written an alert in the past about SOFTWARE supply chain risk management.
Now the big story is HARDWARE supply chain risk management.
Last week Bloomberg News released an investigative story that they worked on for over a year (see here) that said that in 2015 testers discovered a chip on certain boards of computer manufacturer SuperMicro. These boards do specialized video processing used by companies like Apple and Amazon (and the Pentagon). The chip, about the size of a grain of rice, was supposedly added by the Chinese during manufacturing and its purpose was to collect data and send it back to China.
*IF* true, that would be a serious problem.
Apple and Amazon denied knowing anything about it, but Bloomberg is standing by its story and says that several national security officials confirmed the story to them.
Supposedly, after the spy chip was found, the Pentagon started a top secret investigation.
Whether this particular story is true or not, the problem still remains. If not this computer than some other computer. The fact that people are denying it is not a surprise and doesn’t mean much.
Since a very large percentage of computer chips and electronics are manufactured in China, the concept is pretty reasonable. After all, most companies that contract out manufacturing to firms in China only care that their equipment works and not whether it has any extra added features.
If you process sensitive information on computers you SHOULD be concerned. Likely if someone – China or elsewhere – is spying on you, they are going to want to export that data. That is probably the hardest thing to hide. Stupid hackers might try to send it directly to their country and if you are looking carefully at the communications going out, you might find that, but smarter hackers would likely take an indirect route. Maybe they would send it to a server at Amazon. Or even Facebook or Dropbox. There are lots of ways to disguise it.
Bottom line – if you work in an industry that handles sensitive data (defense comes to mind, but so does healthcare and finance), this is a problem that you really cannot ignore. It could come back to bite you and bite hard.
If you supply chain attacks you, pleading ignorance will NOT get you out of either fines or lawsuits. It is your problem. Depending on how your contracts are written, you may even have to reimburse your suppliers for costs that they experience as a result of a breach!
For companies that are contractors or subcontractors to the Navy need to pay attention to a new directive. As a result of the Sea Dragon breach they are immediately adding security requirements to many UNCLASSIFIED contracts.
Even if you are not in one of these sensitive industries, we have seen time and again that the hackers are compromising both software and hardware to get inside your company and steal your intellectual property and your customer’s data. Just ask Google Plus about those 500,000 users.
So what should you be doing?
First of all, you need to have a vendor CYBER risk management program in place. That means a policy. With procedures. And people who are ACCOUNTABLE for the program. Probably some money too.
Second, you need to review your vendor contracts to make sure there is not a clause in them that requires you to indemnify them in case of a breach – that they cause.
You need to review your cyber insurance policy. I just reviewed one this week and found some interesting exceptions where you get to pay the premium but if your vendor has a breach, you have no coverage unless you do certain things.
If you don’t already have CURRENT data maps that show all of the places data flows, where it is stored, who is responsible for it and who can access it – get that on the to do list now. Use that to assess your risks.
Many companies have a vendor risk management program in place but that is different from a vendor CYBER risk management program.
Give us a call if you need help with this.
Source: Wired.