Page 6 - cdm-2014
P. 6
) /-. /**&3 # $(- ,$.$ & !), .$)( & ! (-
Amidst the ongoing discussions about the security and resilience of our nation’s critical
infrastructure and information systems, one of the topics getting the most attention is the
security of the supply chain for the information and communications technology (ICT) sectors.
We all recognize the importance of ensuring the physical security of our nation’s most important
assets, such as airports, dams, and railroads.
However, we also must ensure a strong foundation to protect the technology infrastructure that
underpins these mission-critical systems, through supply chain assurance and product integrity.
Given the global nature of today’s supply chain and the diverse array of suppliers, vendors, and
partners, this challenge is increasingly difficult.
A significant element of the challenge is the culture that evaluates government procurement
professionals based on their ability to meet cost and schedule provisions of a project, without
always considering the integrity or authenticity of the products and services being acquired.
The result is that acquisition decisions are too often driven solely by price, which may point
procurement professionals to online brokers or other untrusted and unauthorized sources in
order to meet cost and schedule provisions. The acquisition of untrusted hardware and software
increases risk and can create enhanced opportunities for cyber intrusions by criminal
organizations and nation state actors. This increased and unnecessary risk can result in the
acquisition of counterfeit, tainted, and even malicious equipment that can threaten the security
of mission critical systems and our national defense.
Unfortunately, these are not hypotheticals. There are real life examples of U.S. government
agencies buying hardware products from untrusted and potentially nefarious sources. One
example from 2012, when a defense agency procured what it thought were new Juniper router
interface cards from an unauthorized reseller.
When the products arrived at the agency, a visual inspection indicated that the interface cards
appeared to have been compromised. A subsequent investigation revealed that the seller had
taken used Juniper equipment, repackaged it, and sold it to the government as new.
The answer to this challenge of supply chain security is not a constant harangue pointing the
finger at industry. What is required is an acknowledgement that security, including supply chain
security, is a shared responsibility.
Both government and industry, have important roles in achieving a more secure and resilient
cyber environment, including the ICT supply chain.
Given the national and economic security implications of the issue, government and industry
each must address supply chain risk management holistically. At Juniper Networks, supply
chain assurance is a component of our overall product integrity program.
! " $ !
! # ! "
