As a fellow at ICIT and co-author of the book “Securing the Nation’s Critical Infrastructures: A Guide for the 2021-2025 Administration,” I was honored to be asked to speak at the RSA Conference 2023 in San Francisco on the topic of “Digital Supply Chain Security: What Happens When an Organization's Trusted Solutions Can No Longer Be Trusted?” Many thanks to SafeBreach, who sponsored the event and for hosting the reception and book signing afterward.
Joining me were Joyce Hunter, the accomplished executive director of ICIT, who was appointed by President Barack Obama as the deputy chief information officer for policy and planning at the Department of Agriculture, serving as both co-author and moderator, and Jerry Davis, a distinguished cybersecurity expert with a wealth of experience in the public and private sectors. Jerry has held key positions at the U.S. Department of Veterans Affairs (VA) and NASA, focusing on cybersecurity in transportation, both ground and space-based. As a fellow at ICIT, he shared his expertise on these topics. The format was a fireside chat, with thought-provoking questions expertly moderated by Joyce.
Together, we collectively talked about the following:
The current state of digital supply chain security
Importance of supply chain integrity to cybersecurity to national security and critical infrastructure
The impact of cybersecurity on agriculture and transportation
The challenges involved in securing the supply chain, and some specific examples of supply chain attacks
Recommendations for the future, including national responsibility and how government can engage
One of the key aspects of supply chain attacks is their ability to compromise systems on a large scale. For example, the recent multi-level supply chain attack on
3CX demonstrated how one compromised vendor could be leveraged to infiltrate the next vendor in the chain. While supply chains are often perceived as linear, they are, in reality, complex webs of interconnected products and services.
Supply chain attacks fundamentally undermine trust, as the targeted organizations inherently trust their vendors and grant them access to sensitive systems or information. These attacks exploit this trust, causing damage even when the organization believes it is dealing with a trusted supplier.
It was fantastic to connect with Joyce and Jerry at the RSA Conference 2023, and I thoroughly enjoyed the conversations we had both pre and post-the speaking event.
ICIT stands for the Institute for Critical Infrastructure Technology. America’s cybersecurity think tank. It is a non-profit organization focused on cybersecurity research, education, and advocacy. ICIT aims to provide objective, non-partisan information to legislators, federal agencies, and critical infrastructure leaders on cybersecurity issues and emerging threats. They offer resources and expertise to help develop effective policies and practices for securing critical infrastructure sectors, such as finance, healthcare, energy, and transportation.
The Institute for Critical Infrastructure Technology (ICIT) is the nation’s leading 501(c)3 cybersecurity think tank providing objective, nonpartisan research, advisory, and education to
legislative, commercial, and public-sector stakeholders. Its mission is to cultivate a cybersecurity renaissance that will improve the resiliency of our Nation’s 16 critical infrastructure sectors, defend our democratic institutions, and empower generations of cybersecurity leaders. ICIT programs, research, and initiatives support cybersecurity leaders and practitioners across all 16 critical infrastructure sectors and can be leveraged by anyone seeking to better understand cyber risk including policymakers, academia, and businesses of all sizes that are impacted by digital threats.
About the book:
Securing the Nation’s Critical Infrastructures: A Guide for the 2021–2025 Administration is intended to help the United States Executive administration, legislators, and critical infrastructure decision-makers prioritize cybersecurity, combat emerging threats, craft meaningful policy, embrace modernization, and critically evaluate nascent technologies.
The book is divided into 18 chapters that are focused on the critical infrastructure sectors identified in the 2013 National Infrastructure Protection Plan (NIPP), election security, and the security of local and state government. Each chapter features viewpoints from an assortment of former government leaders, C-level executives, academics, and other cybersecurity thought leaders. Major cybersecurity incidents involving public sector systems occur with jarring frequency; however, instead of rising in vigilant alarm against the threats posed to our vital systems, the nation has become desensitized and demoralized. This publication was developed to deconstruct the normalization of cybersecurity inadequacies in our critical infrastructures and to make the challenge of improving our national security posture less daunting and more manageable. To capture a holistic and comprehensive outlook on each critical infrastructure, each chapter includes a foreword that introduces the sector and perspective essays from one or more reputable thought-leaders in that space, on topics such as:
The State of the Sector (challenges, threats, etc.)
Emerging Areas for Innovation
Recommendations for the Future (2021–2025) Cybersecurity Landscape