By Phil Reitinger
In the movie Cool Hand Luke, the Captain tells Luke, a prisoner on a chain gang, he’ll get used to the chains after a while. When Luke replies, “I wish you’d stop being so good to me, Cap’n,” Captain beats him down and tells him, “What we’ve got here is failure to communicate.” This reminds me of how we often handle third-party and supply-chain cyber risk.
There are two approaches, which are in fact equivalent. One is for the purchaser of products or services to impose requirements by regulation on contract, and the other is to ask the supplier to fill out a long and often burdensome questionnaire, in order for the purchaser to review and make a judgment about risk, and then to require the supplier to buy cyber insurance in case things go awry. These can be and are used together. Both are all stick and no carrot. In both schemes, the supplier feels enslaved, is beaten down, and doesn’t really change its security posture at all to reduce the risk to the purchaser (which is what the purchaser really wants the most). Moreover, the purchaser doesn’t get a good grasp of risk across its third parties and supply chain, especially when looking at the risk imposed by second and third-tier suppliers. What we have here is failure to communicate and to use the information that communication would provide to take real action to reduce risk across an entire value chain.
There is a better way, especially for small and medium-sized businesses.
First, imagine we made is easier for small and medium-sized businesses to take real action to reduce cyber risk both for themselves and the companies that depend on them. Wonderful small business guidance is already available from multiple sources but remains very hard to put into practice. We need to get these businesses over the hump of implementing good practices, rather than just reading about them. They need “operationalized guidance,” a set of step-by-step instructions along with the actual tools they need, to be more secure. Let’s give small businesses a cybersecurity cookbook, along with a full “kitchen.”
Second, let’s assume we give those businesses a real incentive to take action. Explaining risk and protection in a way they can understand will help for sure, but say we offered businesses a contractual premium for taking concrete steps. For example, what if the U.S. Department of Defense paid a small bonus, maybe half a percent, to a prime contractor that verified its subcontractors (and their subcontractors) had implemented a few key mechanisms to be more secure.
Third, we can also make it easy both for small businesses to know what they must do, and to show they have done it, to get the bonus. One method by which this could be achieved is by having simple contractual language that could be copied down supply chains and across value chains. The requirements could be met by simple self-attestations of having undertaken the steps provided by a toolkit, and some of the elements could be readily validated using public information (such as implementation of email authentication practices).
This approach has other benefits.
- Focusing on basic controls and hygiene improves the entire ecosystem. Implementing stronger authentication by a supplier, for example, protects not only the parties to the supply contract but anyone who relies on that business for products or services.
- Installing basic controls across small businesses limits the ability of attackers to maneuver among them, imposing additional barriers and costs.
- Protecting small businesses against attacks targeted specifically at them, like ransomware, limits the return on investment for cyber criminals, reducing their prevalence and the drag they impose on economies.
In the medium to long term, these small businesses will grow to rely more and more on cloud services with security embedded. But while that transition takes place, we can take action right now to make supply and value chains secure by making reasonable requests and providing incentives. No more failure to communicate.