Historically, Federal agencies have been instructed to be secretive on cyber matters, but a key step in fortifying the software supply chain is clear and constant information sharing, according to Jeanette McMillian, the assistant director for Supply Chain and Cyber at the National Counterintelligence and Security Center.
McMillan emphasized that constant information sharing is important not just amongst Federal agencies but for industry as well.
“Over the past year, we’ve already seen substantial cyberattacks against critical infrastructure and supply chains,” McMillian said during her keynote address at an Intelligence & National Security Alliance event on April 26.
“But why are [bad actors] using cyber? Because that is where the data is and in today’s day and age data equals money, and software is the ATM for data,” McMillian continued. “So, we must fortify the chain, the supply chain.”
Given that the cyber risks to the software supply chain can be catastrophic, Federal agencies and organizations across industries must take immediate steps to improve security and risk posture to prevent attacks. The good news is that the Biden-Harris administration is working on defining standards to manage software supply chain risk and there are calls for mandating cyber security practices across critical infrastructure.
However cyber, according to McMillian, is not a solitary fight. Not only should Federal agencies work with one another to defend their systems, but industry must be a part of this too.
“I’ll be the first one to admit that information sharing needs to be improved across the board because it is a critical factor in our ability to defend the supply chain,” McMillian said.
The government is in the supporting role to the information and communication technology industry, the network defenders, and the critical infrastructure owners and operators who need to be supported with information to mount a solid defense. Not only does the Federal government need the private sector on their cyber team, “we need them ready to bat.”
In addition to information sharing with organizations across industries, McMillian highlighted legislative measures, such as the Secure Technology Act, that help fortify information-sharing efforts within the Federal enterprise.
Congress also instructed the intelligence community, specifically the Director of National Intelligence, to standardize information sharing across the Federal government on supply chain risks, counterintelligence risks, and cyber security risks. These congressional measures also ensure that information is provided to Federal acquisition professionals across the government.
“If we want to realize the full potential of cutting edge technologies like quantum and AI, we must fortify the supply chain. If we want to protect critical infrastructures like water, oil, gas, or electricity we must fortify the supply chain. If we want to safeguard access to healthcare and boost supplies, we fortify the supply chain. And if we want to realize the full potential of the cyber domain, we must fortify the chain,” McMillian concluded.