OPSEC Best Practice
By John McCarthy, CCP and OPSEC President
When conducting OPSEC assessments and surveys for Department of Defense (DoD) and other Government acquisition programs include Supply Chain Risk Management (SCRM) in your assessment or survey.
Since 1994, Federal procurement policy for information and communications technology (ICT) has promoted the use of commercial off-the-shelf (COTS) products and services as a means of controlling costs. While this policy has yielded some savings, it also yielded unforeseen and significant security risks.
The Defense Industrial Base (DIB) uses a global supply chain to design, develop, manufacture, and distribute ICTs to DoD acquisition programs. ICT components often end up in weapon systems that deliver mission-critical functionality to our warfighters.
In a report1 to Congress, the Government Accounting Office found that “reliance on a global supply chain introduces multiple risks to federal information systems. These risks include threats posed by actors – such as foreign intelligence services or counterfeiters – who may exploit vulnerabilities in the supply chain and thus compromise the confidentiality, integrity, or availability of an end system and the information it contains.”
Segments of the ICT supply chain are often under the direct control of our adversaries. Something as simple as military grade laptop has a global supply chain:
What is ICT?
“ICT includes all categories of ubiquitous technology used to gather, store, transmitting, retrieve, or process information, for example, microelectronics, printed circuit boards, computing systems, software, signal processors, mobile telephony, satellite communications, and networks. ICT is not limited to information technology (IT)…Rather; this term reflects the convergence of IT and communications.” 2
What is SCRM?
The DoD defines a supply chain as “the linked activities associated with providing material from a raw material stage to an end user as a finished product3.” SCRM is the systematic identification, assessment, and quantification of potential supply chain disruptions with the objective to control exposure to risk or reduce its negative impact on supply chain performance.4
What are some of the threats to an ICT Supply Chain?
- Installation of hardware or software containing malicious logic;
- Installation of counterfeit hardware or software;
- Failure or disruption in the production or distribution of critical products;
- Reliance on a malicious or unqualified service provider for the performance of technical services; and
- Installation of hardware or software that contains unintentional vulnerabilities.
How does the DoD protect the ICT supply chain?
Program Protection is the DoD’s approach for protecting Critical Program Information (CPI) and mission-critical functions and components in warfighting systems. Program Protection identifies threats, vulnerabilities, and risks to CPI and mission-critical functions and components, and then it applies countermeasures to mitigate risks. Countermeasures include anti-tamper, exportability features, cyber security, OPSEC, information, personnel and physical security, secure system design, SCRM, software assurance, anti-counterfeit practices, procurement strategies, and other mitigations.
How does OPSEC protect the ICT supply chain?
Most information about ICT supply chains is unclassified and is held by the DIB. Our adversaries are adept at harvesting supply chain information through Open-Source Intelligence (OSINT) and Computer Network Exploitation (CNE). They use the information to identify entry points in a supply chain where they can sabotage, introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation or maintenance of a warfighting system.
Using the OPSEC process, acquisition programs are able to identify, control, and protect critical information (CI) about their ICT supply chains, such as:
- Missions and functions of the warfighting system using the ICTs;
- Number of warfighting systems using ICTs;
- Identities of ICT developers and end users;
- Family of systems interfaces;
- Supply chain maps;
- ICT suppliers;
- Supply chain processes;
- Functional and security requirements;
- System design specification;
- Testing protocols; and
- Security control implementation details.
OPSEC complements a defense-in-breath Program Protection strategy, and the beauty of the OPSEC assessment is that it can be easily tailored to include and protect CI about the ICT supply chain.
Mr. McCarthy is a CPP and is a Program Protection Analyst for EMSolutions, Arlington, VA
1 GAO-12-361, United States Government Accountability Office (GAO) Report to Congressional Requesters, IT Supply Chain, National Security-Related Agencies Need to Better Address Risks, March 2012
2 Department of Defense (DoD) Instruction 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)
3 DoD Manual 4140.01, Volume 1, DoD Supply Chain Materiel Management Procedures: Operational Requirements
4 DoD Instruction 4140.1, DoD Supply Chain Materiel Management Policy
Firstly – full disclosures, Aegis Journal and Financial Examinations & Evaluations, Inc. are full supports of the OPSEC Professionals Society. www.opsecsociety.org from which this article was reproduced with permission.
While this article is directed specifically at government requirements and considerations, this process of understanding the risks from your supply chain are enormous. Supplies can make good assumptions on reverse engineering you formulas based upon your orders, especially if you only have one or two suppliers. Furthermore, if an adversary can get to your supply chain they can denude a company of all IPCI – Intellectual Property and Critical Information. A simple script hidden within bulk orders for new computers is very easy and we have seen it done to both commercial firms as well as law firms. We have even seen a client charges with the possession of a large collection of conflict minerals as their competitors subverted the supply chin, made sure their competitors was shipped conflict minerals and then distributed them to the world.
John McCarty’s words and thoughts need to be seriously considered for the private sector and how poorly we understand threats to our IPCI.