The Norwegian general Inge Kampenes (chief of the Norwegian CYFOR, the cyber branch of the Norwegian armed forces) gave a speech on the evening of Monday 20.02.2017 to Oslo militære samfund, where he warned against supply chain threats to large investments in the military. He brought the F35 program forward, and stressed that threat actors may choose to target civillian and military organizations further back in the supply chain in order to threaten the integrity and confidentiality of the project. The military must therefore keep the entire value chain in mind as it is assessing the cyber threats related to procurement.

This follows several recent media accounts of poor sourcing decisions leading to significantly reduced security for important functions in Norway. One was the Statoil case from 2014 where Indian consultants had access to the production IT systems of a refinery and managed to shut down the production of the refinery by an error. Another story that recently broke in media was that the administration of the Norwegian emergency communications network for emergency response units (police, fire departments, ambulances and the authorities) had been contracted to another Indian IT operator – with no form of background checks or security clearance checks – in breach of Norwegian security laws.

The general is obviously right to be worried about supply chain risks. The suppliers are outside of your direct management control, and this is in particular true for large and complex value chains; the deeper you go in the web of suppliers and subsuppliers, the less influence and control you have over their practices. This has to be handled through contract requirements, auditing and a common understanding of priorities. Understanding the risk context is key to prioritizing the right controls – and this is at the core of supply chain threat management.

Key points the general should preach to his colleagues:

• The project needs a procurement policy covering all purchases, and also how suppliers again shall handle their own suppliers, and this policy should be made mandatory for the entire project organization: the project owner must be the one calling the shots.
• The project needs a competence management plan for information security – that covers both internal and external interfaces
• The project needs a risk and vulnerability study that covers supply chain effects: the suppliers may be targeted due to activity in other risk contexts, thereby damaging the project’s security by collateral damage
• The project should plan for coordinated security monitoring in the operations phase where applicable, and plan response accordingly. Patch management should be part of the delivery plan.