Yesterday I had the pleasure of attending “Supply Chain Security – Do you know who your insiders are?” by Bob Hutchinson, Senior Manager, Sandia National Laboratories’ Information Security Sciences Group.
The key aspect of his presentation that I took away was the National Labs’ ability to control and prevent compromise of the Nuclear Weapons supply chain. And that the lessons learned from almost 7 decades of experience could be applied to the supply chain risk of Information Technology. We’ve solved most problems before it simply takes effort to find where.
This analogy led me to investigate a bit more and I discovered Bob’s statement to the United States House of Representatives Committee on Energy and Commerce, Subcommittee on Communications and Technology. His 4 key points are:
- While strategic data theft of intellectual property and national secrets has become a focus recently do not lose sight of the malicious data modification threat.
- Examine and be aware of your Information Technology aspects of your supply chain; from the software applications and patches to the sub-components of each piece of hardware (and it’s obvious supporting software -firmware).
- While developing the manner and mechanism for Cyber information sharing between Government and Industry there must be a strategy associated with it. This strategy could then be used to assist in an adversary “self-identifying.”
- Identifying the Nation’s noted “profound shortage of qualified cyber security experts.” He adds that having been tasked by DoE, Sandia to has built “a program that’s more like a medical residency than a trade certification” and that this model is much more appropriate to creating the requisite cyber security experts for the nation.