Cybersecurity and Supply Chain Risk Management Are Not Simply Additive
Implications for Directions in Risk Assessment, Risk Mitigation, and Research to Secure the Supply of Defense Industrial Products
ResearchPublished Dec 19, 2023
This report presents an examination of how cyber-related risks compare with other risks to defense-industrial supply chains, including how attackers might use supply chains to wage attacks, such as through malicious code, and how supply chains might, themselves, be targets of attack, such as through disruption. It also explores the implications of the differences in risks for directions in risk assessment and mitigation and for research.
Implications for Directions in Risk Assessment, Risk Mitigation, and Research to Secure the Supply of Defense Industrial Products
ResearchPublished Dec 19, 2023
The Air Force Research Laboratory (AFRL) asked RAND Project AIR FORCE (PAF) for assistance understanding how cyber-related risks compare with other risks to its defense-industrial supply chains—a scope that included supply chains for hardware, not supply chains for software—and exploring implications for directions in risk assessment and mitigation and for research. AFRL was interested in how attackers might use supply chains to wage attacks, such as through malicious code, and how supply chains might, themselves, be targets of attack, such as through disruption.
To conduct the analysis, PAF drew insights from the literatures on cybersecurity, supply chain risk management (SCRM), game theory, and network analysis and worked with sets of stylized supply chains and fundamental principles of risk management. The report uses the phrase cyber SCRM broadly to refer to the cybersecurity of supply chains, including attacks through supply chains to reach a target and attacks on supply chains in which the target of the attack is the supply chain itself.
This research was prepared for the Department of the Air Force and conducted within the Resource Management Program of RAND Project AIR FORCE.
This publication is part of the RAND research report series. Research reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND research reports undergo rigorous peer review to ensure high standards for research quality and objectivity.
This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit www.rand.org/pubs/permissions.
RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.