Government’s supply chain risk is drawing more attention than ever, Capitol Hill aides say

Supply chain risk is one of the main things keeping cybersecurity-focused government officials and partners up at night, speakers said at a conference Wednesday in Washington, D.C.

The possibility of vulnerabilities being introduced into government networks through a piece of foreign-made hardware or software has spooked agencies into thinking more about how to work with vendors, congressional staffers and government security contractors said at the KNOW Identity Conference.

The federal government has cracked down lately on what it sees as risks from foreign technology companies such as Kaspersky, Huawei and ZTE. The potential problems go much deeper than that, the speakers said.

Vulnerabilities deep in a service’s supply chain can be difficult for either the government or the vendor to detect and can be exploited by hackers. Simply trusting vendors to do the work isn’t enough, said Nick Leiserson, legislative director for Rep. Jim Langevin, D-R.I., said.

“The idea that we’re just going to work with prime contractors and hope that they’ve managed their own supply chain risk … is going away,” Leiserson said. “There is increasing awareness in the federal government and in Congress that third-party risk is an enormous problem.”

Dan Prieto, a strategic executive for Google Cloud’s public sector services, said that risk in many cases stems from scaling an organization’s IT infrastructure without implementing consistent security measures across the board.

Google last week acquired FedRAMP certification for its cloud services, giving federal agencies more access to its services. Prieto acknowledged that Google is late to the game as it competes with the likes of Amazon and Microsoft, but said that that’s because the company has been focusing on making security consistent across its cloud platform.

“One of the reasons we were behind the curve on getting [the certification] is because we certified FedRAMP our entire global cloud platform. So our interests are fully aligned with government customers because the public cloud that serves the government is the cloud that serves YouTube and Search and Maps,” Prieto said. “Scale works and does not increase complexity if there is consistency among the entire fabric. And I believe Google provides that because we provide it for ourselves. So as they say, we eat our own dog food.”

When it comes to coordinating with third parties on managing cybersecurity risk, officials also worry about how transparent contractors are when responding to data breaches.

Jessica Wilkerson, a professional staff member on the House Energy and Commerce Committee, said that in the wake of several major breaches —naming Equifax and the Office of Personnel Management — Congress is expecting more transparency from organizations that manage a lot of sensitive data.

“It’s no longer acceptable, I think, to come and say ‘Hey don’t worry about it, Hill. We know that all this technical stuff is really confusing for you, but we’ve taken care of it, and you don’t need any of the dirty details,'” Wilkerson said. “We don’t accept that as an answer anymore. We need the transparency. We need the conversation. If you have an incident that involves the government … we need to know why. We need to know how. We need to know what you’re doing to fix it.”