The Global Threat of Cyberattacks on Supply Chains
Professor Matthew Waxman brought together national security experts, including Sen. Angus S. King Jr., for a conversation on threats to supply chains from foreign actors and potential legal and legislative fixes.
Late last year, news that Russia hacked SolarWinds—a U.S. IT management company whose clients include the U.S. Department of Homeland Security and the National Institutes of Health—made headlines and brought to light how infiltrating the global supply chain could be a more effective and cheaper way of compromising government information than hacking a government agency itself. The United States’ reliance on rivals, including China, for critical resources and technology used in supply chains also poses major risks to U.S. national security. So how can the United States and other countries address cybersecurity vulnerabilities in the supply chain? And how can we better respond to threats in the future?
In December, Matthew C. Waxman, Liviu Librescu Professor of Law and chair of Columbia Law School’s National Security Law Program, moderated a virtual discussion with three leaders of the U.S. Cyberspace Solarium Commission (established by Congress in 2019) to delve into issues related to cybersecurity and supply chain security: Sen. Angus S. King Jr., I-Maine, co-chair; David Simon, pro bono chief counsel; and Erica Borghard, senior director and a task force lead. “These speakers have been wrestling for a long time with these challenges,” says Waxman, “and the SolarWinds hack couldn’t have better highlighted the urgency and dangers.”
Among the many participants were students from the Cybersecurity, Data Privacy, and Surveillance Law seminar, which examines how the law adapts—or fails to adapt—to meet the challenges of new technologies. Waxman co-teaches the course with Daniel Richman, Paul J. Kellner Professor of Law. Columbia Law School alumni practicing cybersecurity law also attended.
Here are takeaways from the discussion:
On why the commission chose to focus on supply chain security:
Sen. Angus S. King Jr.: I think the underlying reality is that the supply chain for practically any product or service today is global. It’s an international issue. And so you’re almost by definition vulnerable. . . . One of the most significant cyber threats that we face is . . . supply chain of software. A U.S. software company [SolarWinds] was infiltrated, apparently, we believe, by the Russians. And then through the vector of that software company, federal agencies, state agencies, private sector businesses, everybody’s potentially affected. . . . If your supply chains are international, then you’re subject to the risk of a country that may not have beneficent motives toward us.
On challenges of identifying issues in supply chains:
David Simon: Many, many organizations . . . will be asking questions of all the vendors and their own company: “Do we use SolarWinds?” “Which of our vendors do?” It’s actually very difficult for companies in many cases to have basic answers like that, particularly for large global enterprises. And so if a company has a hard time answering that question (“Do we use this?”) how is the government supposed to figure out what the implications are across the supply chain in the critical infrastructure context?
Erica Borghard: The DOD [U.S. Department of Defense] doesn’t have a complete picture of its supply chain. There’s no mechanism that’s in place at this time that requires prime defense contractors, for instance, to share information with the DOD about their subcontractors. And so it needs to be a priority to get to a more complete and more holistic picture of what the DOD supply chain looks like so that you can begin to develop a strategy to mitigate risk in critical areas. And that will only be possible through some combination of requirements and incentives that are placed on the defense industrial base.
On legislative priorities to address supply chain security:
King: Probably the most important one that’s in [the 2021 National Defense Authorization Act] is the creation of a national cyber director in the executive office of the president—appointed by the president and Senate confirmed. . . . And that’s a big deal because one of the problems with our federal response on this issue is that we have silos. They’re really good silos, but they’re still silos. And there needs to be some overarching authority to hold the entire federal government effort in some kind of coordinated way and also hold them accountable. . . . There are also recommendations . . . to strengthen CISA—the Cybersecurity and Infrastructure Security Agency, which is the sort of focal point of a lot of federal security and cyber policy as it relates to the outside world and particularly the private sector in the United States.
On preparing for future attacks:
Borghard: The DOD, I think, should give more attention to the extent to which our military forces can securely operate in a compromised or degraded environment and think about how we invest in resilient and redundant capabilities. Securing the IT supply chain will be a multi-decade significant investment and will span multiple administrations. And in the meantime, I think we should expect that disruption and compromises will continue to occur. So while we’re working on securing the supply chain, we need to think about incorporating a resilience mindset and expecting these things will happen, and being able to anticipate, withstand, rapidly recover, and learn from these incidents as they take place.
On imposing consequences for attacks like SolarWinds:
King: We can’t patch our way out of this. The adversaries are too clever and there’s too much vulnerability and it’s just so widespread. There has to be a deterrent piece of this. And that’s what a part of [the commission’s] report focused on. . . . Russia—if they’re behind [the SolarWinds hack] and it does the damage that we think it’s going to do—should pay a price. If they don’t, they’ll keep doing it. That’s just common sense. And historically, we have not imposed costs on our adversaries for this kind of attack.
Simon: We could talk all day about how there’s actually not that much international law of cyber, but there are other thresholds. What if the U.S. government and other allies and partners were to come together and speak more publicly and transparently around the legal framework and the thresholds to make it clear that there are guardrails, there are lines and there could be consequences? I think that could make a difference.
Excerpts from the discussion have been edited and condensed.