This report presents an examination of how cyber-related risks compare with other risks to defense-industrial supply chains, including how attackers might use supply chains to wage attacks, such as through malicious code, and how supply chains might, themselves, be targets of attack, such as through disruption. It also explores the implications of the differences in risks for directions in risk assessment and mitigation and for research.
Cybersecurity and Supply Chain Risk Management Are Not Simply Additive
Implications for Directions in Risk Assessment, Risk Mitigation, and Research to Secure the Supply of Defense Industrial Products
Published Dec 19, 2023
Purchase Print Copy
|Add to Cart
- How do cyber-related risks differ from or compound other concerns about SCRM?
- What do, or could, these differences mean for risk assessment, risk mitigation, and research?
The Air Force Research Laboratory (AFRL) asked RAND Project AIR FORCE (PAF) for assistance understanding how cyber-related risks compare with other risks to its defense-industrial supply chains—a scope that included supply chains for hardware, not supply chains for software—and exploring implications for directions in risk assessment and mitigation and for research. AFRL was interested in how attackers might use supply chains to wage attacks, such as through malicious code, and how supply chains might, themselves, be targets of attack, such as through disruption.
To conduct the analysis, PAF drew insights from the literatures on cybersecurity, supply chain risk management (SCRM), game theory, and network analysis and worked with sets of stylized supply chains and fundamental principles of risk management. The report uses the phrase cyber SCRM broadly to refer to the cybersecurity of supply chains, including attacks through supply chains to reach a target and attacks on supply chains in which the target of the attack is the supply chain itself.
Cyber-related risks could be substantially worse than and different from other types of supply chain risks
- Cyber events can present the worst of conventional hazards in terms of their onset, duration, visibility, and reach.
- They can pose even greater challenges than nondigital threats, given the potential for strategic adversaries to inflict harm at low cost and without punishment of repeated attempts.
Preventive measures are not enough
- Preventative measures cannot stand alone or be pursued at the expense of taking steps to facilitate response and recovery or build resilience.
- Creating impenetrable defenses is infeasible, and attempting to create them would entail further risks and costs.
Cyber SCRM requires more than an amalgam of cyber and SCRM
- Some conventional responses to supply chain risks might not hinder or might even elevate the risks cyberattacks present.
- Absent any trade-offs, a fusion of cyber- and SCRM-based measures could be inadequate if conventional SCRM underestimates the potency of cyberattacks relative to other sources of risk.
Private-sector efforts to manage risk may not meet national security needs
- Strategic interactions between suppliers and attackers could lead to underinvestment in security, especially without coordination among suppliers.
- However, several compounding factors involving risk assessment, incentives, and supply chain visibility could make matters worse.
- Frame the potential consequences of cyberattacks in terms of the availability, quality, and cost of defense industrial products that serve mission critical roles, not just or not primarily information security.
- Establish priorities among the cyber and SCRM consequences based on what they could mean for mission attainment.
- Set out terms for cyber SCRM strategies that give due attention to response, recovery, and resilience and account for concerns about information security and supply chain functionality, differences in DAF and private-sector interests, and potential trade-offs among risk-reduction objectives.