Federal supply chain security threats are growing, and government and industry alike are directing more attention to reducing risks. Some, including Jeff Moore, senior vice president, Sterling Computers, believe the reseller channel is particularly vulnerable and needs significantly more attention.
MeriTalk spoke with Moore to explore Federal supply chain pain points and strategies to mitigate cybersecurity risks. With more than 17 years in the industry, Moore has gained first-hand knowledge of reseller community risks and steps Federal contracting officers and buyers could take to better evaluate reseller partners and purchases.
MeriTalk: The CISA Information and Communications Technology Supply Chain Risk Management Task Force recently released a report identifying over 190 supplier related threats. What are the biggest threats?
Jeff Moore: The task force covered a wide range of potential threats, from cyber hackers, to counterfeit or tainted gray market products with nefarious code, to economic threats, like theft of intellectual property. These threats all come with varying degrees of complexity and unique risks.
While you can never completely reduce risk, they each have a different mechanism for mitigating that risk.
From a reseller perspective, obviously we all face cyber threats, whether that is phishing attempts, or ransomware. But the reseller channel is particularly vulnerable, given the totality of the data we manage in our institutional knowledge or databases. While there have been some efforts to address this vulnerability, we need more.
There are thousands of Federal resellers with varying degrees of cybersecurity maturity. We are just now coming to grips with the totality of the data we manage that can be vulnerable for those who wish to do us harm. Resellers are more vulnerable to attack due to a lack of sophistication of our protection mechanisms.
MeriTalk: Can you elaborate on what makes the reseller channel more vulnerable to attack?
Jeff Moore: The reseller channel is the last mile, connecting the Original Equipment Manufacturer (OEM) to the end user customer. It is probably the weakest link in the chain. You have varying degrees of size and capability, and different levels of awareness of the threats.
The large OEMs all have robust supply chain practices, but when it gets to the reseller community, that is the easiest place to attack as many don’t have the resources to combat a lot of this stuff. They don’t understand it; and quite honestly, in some cases the reseller is two guys in a garage who can become a reseller and start selling products to the DoD. The barrier of entry is so low. There is often economic pressure to behave inappropriately. We see it on a daily basis.
I’m a long-suffering Nebraska Cornhuskers fan, so to use a football analogy, if you are going to attack, you go after the left guard who is a walk-on kid, a sophomore who is undersized, and you are going to put your best defender on him, and wreak havoc with the rest of the offense because you have exploited the weakest link in the chain.
Consider, they only have to be right once, we have to be right every time.
MeriTalk: As Federal buyers evaluate resellers and build out the reseller ecosystem, what factors should they consider?
Jeff Moore: From a strategic sourcing initiative, there needs to be a close relationship with vendors, balancing fair competition with the need to protect your data and IT environment. You need to know your resellers.
Right now, contracting officers may not have clear visibility into their entire supply chain. Agencies need to vet end user suppliers to better understand the total risk.
It starts with more time educating and training contracting officers and buyers to look beyond just the bill of materials nd part number. Start by considering your reseller partners on the following points:
- Ownership structure and sourcing methodologies;
- If the seller is an authorized reseller of the OEM;
- Whether the seller has International Organization for Standardization (ISO) certifications or Cybersecurity Maturity Model Certification (CMMC) (planned for release in 2020); and
- If the seller has met Open Trusted Technology Partner Standard (O-TTPS)
Eventually, the Federal community might consider creating reseller-specific ISO certifications to establish a standard level of security for the reseller channel.
MeriTalk: Can you talk about the Trade Agreements Act (TAA) and why TAA compliance ensures supply chain security?
Jeff Moore: I’m not sure it does, to be honest. In some instances, it provides a false sense of security. TAA compliance means that you’re going to bring all these components from another country, and “substantially transform” the components into a complete device.
This criterion begins to mitigate risk. It’s harder to insert improper devices, code, etc. in a TAA compliant product – but that doesn’t mean that the memory, chip, drive, or other components haven’t been tampered with prior to getting to their location.
Some vendors who are duly authorized to sell a specific product will co-mingle an unauthorized product with genuine articles. You’re never going to be able to tell from the outside of the box whether a component was or was not assembled and modified in a trade compliant country. Often, we see that the part number is exactly the same, so how is the CO or Logistics Coordinator supposed to know.
MeriTalk: Do you have other recommendations to build trust, resiliency, and security?
Jeff Moore: Resiliency and trust are developed over time. But, the challenge is that there’s thousands of resellers and suppliers out there to evaluate. How do we get to them all?
OMB is working toward minimizing the number of large-scale, agency-wide contracts out there to whittle down the number of suppliers and better manage the threat landscape.
There also needs to be a free-flowing list of information for industry and government to alert each other of bad actors and repeat offenders, participate in more aggressive self-reporting, and share best practices among resellers, manufacturers, and the entire industry ecosystem.
We’re all hyper-competitive, and typically don’t like to share our secret sauce. But, in this instance, we need to move beyond our own self-interest – it is a collaborative responsibility.