Should we start regulating cybersecurity in the supply chain? Not so fast.

April 26, 2019

Supply chain has become the hot topic in cybersecurity inside the Beltway in recent months – and for good reason.

The British Standards Institution just this week released a new report on the supply chain identifying cybersecurity as one of the greatest security threats within the supply chain.

The federal government has also taken notice to growing supply chain cybersecurity threats. Prime contractors within the defense industrial base have already faced stringent cybersecurity regulation from the Department of Defense, and DoD has begun expanding those requirements down the DIB supply chain to subcontractors.

Moreover, Federal Chief Information Security Office Grant Schneider suggested last week that new regulations might be the answer to bolstering cybersecurity within the supply chain. The Trump administration has suggested openness to expanding the regulatory DIB model to address cybersecurity in the supply chain more broadly. However, it’s very important that we consider the impact of this approach and determine whether these regulations, while well intentioned, are achieving their goal of improved cybersecurity.

Concerns have been raised that these stringent regulations are pushing important innovators out of the defense market, as many of them do not see the value of fronting the cost to comply with strict supply chain regulations and are finding other less costly avenues for selling their products. This begs the question: Are we actually undermining cybersecurity with these well-intentioned regulations?

We need to determine whether these approaches are effective at increasing cybersecurity and to understand what potential negative impacts these regulations might be creating.

The Department of Homeland Security just this week hosted a stakeholder meeting for its Cyber Risk Initiative in Economics (CYRIE) research program, which has identified supply chain security as one of its key areas of economic research.  This presents an opportunity for us to better understand whether these cybersecurity requirements are working and, if not, what alternative incentives could be created to boost supply chain security without the negative side effect of pushing important developers and innovators out of the market.

Supply chain cybersecurity is an incredibly important issue that needs to be addressed – but before we begin blindly expanding the regulatory model, we should test it and make sure it works.