On Day 2 of the Institute for Supply Management’s 103rd annual conference, ISM CEO, Tom Derry, hosted a panel on the topic of cyber security, globalization, and supply chain risk management. The panelists were Keith Alexander and John Brennan – two big names in cyber security, intelligence, and national security.
Alexander is a retired four-star general who served in the US Army for 40 years, most recently as the Director of the National Security Agency (NSA) between 2005 and 2014 and the first Commander to lead US Cyber Command. He retired from military and government service in 2014 and is now Founder and CEO of IronNet CyberSecurity. Brennan is a career-long intelligence professional, having served as a Near East and South Asia analyst at the Central Intelligence Agency (CIA) for 25 years before leaving in 2005 to become CEO of The Analysis Corporation (TAC). But he returned to government service in 2009 to become Assistant to the President for Homeland Security until 2013, when he was appointed to be the sixth director of the CIA, serving until January 2017. Brennan is now a senior intelligence and national security analyst for NBC and MSNBC.
It is telling that for the third time in four years, ISM invited former military and intelligence leaders to speak at its annual conference (Robert Gates, former Director of Central Intelligence and Secretary of Defense spoke in 2015, while Gen. Colin Powell, former Chairman of the Joint Chiefs of Staff, National Security Advisor, and Secretary of State, spoke in 2017). The world is getting scarier and more dangerous every year, and it is a world in which supply management professionals need to lead and execute their own missions. There are myriad threats out there, from terrorism, piracy, and regional instability, to the threat of trade wars, currency wars, and actual wars between nations, to malignant cyber actors that are almost always a few steps ahead of the good guys.
And as cyber/IT security threats infiltrate organizations via their supply base, Chief Procurement Officers(CPOs) and their lieutenants have been increasingly on point to manage what used to be inherently and exclusively the responsibility of the Chief Information Officer or Chief Information Security Officer. So, who better to talk about the ever-evolving cyber security threat landscape than two experienced intelligence professionals? The first installment of this article series discussed the general cyber threats that public and private-sector organizations face and what they are doing (and need to do more of) to prevent and prepare for these kinds of attacks. Today’s article, the second of two, will pivot a little to talk about specific cyber threats and actors, and what the public-private sector response ought to be.
Industrial Espionage
John Brennan discussed how in hostile countries like China, companies are established with loose affiliation to their intelligence agencies to pursue and steal foreign intellectual property (IP) in order to replicate it. In other cases, the government will exert control over small startups and use them as instruments to gain access to foreign networks and steal IP.
One thing that Mr. Brennan noted was the tendency for CEOs to delegate responsibility for ensuring the security of their systems to their CIOs and CISOs. But unless CEOs are aware of the threats and risks that vendors and third parties pose in terms of cyber security, they may not prioritize, allocate resources, or hire to appropriately address these threats. For those with liberal arts degrees, Mr. Brennan strongly suggested “becoming as familiar as possible” about the cyber security threat landscape and take as much advantage of the digital environment that is growing by leaps and bounds.
“Just watching what China has done to our economy over the last 13 years, since I got to NSA and beyond,” said Gen. Alexander, “is the greatest transfer of wealth and industrial theft of IP.” He made a point to say that the Chinese government, unlike the Russian government, is not engaging in this activity to hurt the US economy or undermine its institutions. “They’re doing it fuel their economy. They don’t want to hurt us, they just want to steal what you have” so that they can use it for competitive advantage. Organizations have been defending themselves against foreign adversaries, like China, from hacking into their networks and stealing their IP for quite a while; and unfortunately they will need to continue to do so.
Gen. Alexander mentioned Huawei, the Chinese telecommunications provider, as an example of stolen IP turned into a competitive advantage and ultimately lost market share. “If you go way back,” he said, Huawei “stole [its designs] from Cisco. So Huawei is Cisco, and now they’re competing globally by doing it cheaper.” More pointedly, “we do all of the research and engineering and then they steal it.” These kinds of behaviors, he said, warrant pushback from our own government. “We need to fix our defense.” For example, “the Chinese can get into your network by providing [industrial] switches to us that they can use to gain access.”
Speaking of gaining access, although Gen. Alexander sees value in Blockchain distributed digital ledgers, especially for recording transactions and organizing records, he cautions that hackers can use them “as a foothold” to pull digital currencies from the ledger and skirt US or international finance laws. They can also use Blockchains as another way to blackmail or extort victimized businesses and individuals; cyber thieves can pose as legitimate trading partners, win network trust, and once they gain access, they can obtain IP and exacerbate existing data and IP protection challenges. “There has to be some oversight,” he said, adding that he also worries about Blockchains’ exponential data creation every time transactions are recorder. “How big does it get before it gets untenable?” he asked.
As for Brennan, he believes that organizations are in “a fascinating, invigorating environment, but it’s also very scary.” As a result, “we need to ask ourselves and our governments how we’re going to take advantage of all of this innovation while keeping us safe from all the bad actors in the world.”
Final Thoughts
For nearly an hour, the crowd of more than 3,000 supply management leaders, practitioners, and research analysts watched two veteran public servants talk candidly about the breadth and depth of cyber (in)security in today’s business environment. Although managing cyber and IT risk is not at the top of the CPO’s job description, the world is literally full of compromised organizations (as the General said, if you don’t think you’ve been hacked, you’re wrong but you don’t know it yet). It may be difficult to find any organization that has not experienced even a minor cyber incident. Compromised suppliers operate and transact among us, and with us, often unaware of the silent threats lurking in their IT infrastructure. And in the process, they expose enterprises to a host of cyber threats, from basement-dwelling hackers to state-sponsored actors to hostile foreign intelligence agencies trying to steal IP and rehearse shutting down critical infrastructure. You don’t need to work at the CIA or NSA to practice good cyber hygiene and ensure that your supplier base does the same. You just need to be vigilant, be collaborative, and be proactive.
RELATED ARTICLES
What’s Cyber Security Got to do with it? Former CIA and NSA Directors Discuss at ISM 2018 – Part I
David Cameron Keynotes ISM’s Annual Conference in Orlando
ISM 2017 Conference To Tackle Global Issues, Uncertainty
ISM at 100: Robert Gates on Global Stability and Supply Risk
ISM at 100: The Hidden Risks Lurking Within Supplier Relationships