Did you know that sometimes we have to protect our classified information before it is even employed by us, the clearance holders? Why this seeming paradox is true can only be understood if we see our clearances and our classified work in the context of the supply chain along which we are employed. Here’s how that works.
The classified Supply Chain
Cleared employees are among America’s most precious assets. To have a security clearance means you have been granted access to our most valued secret information. It is secret because to compromise this information would give an adversary advantage over our country. It is because we could lose a battle before we even enter combat that our topic of protecting the classified supply chain is so important.
Are you aware of what you are protecting? “Of course,” you might respond, “Anything with a classification paragraph marking.” Or, if you work with classified objects (like a computer) you protect what is on the “high side” with diligence, passwords, and not a little care when you print something on a classified printer. And yes, if you have classified components, they go into a safe or are stored in secure areas at the end of the work day. This is how an end user might respond. Of course, as a clearance holder, we need to be aware that the classified information we are working on came from somewhere.
How does all that classified information get to you? What brought it to be on your desk or work table? That is the supply chain. An entire array of “supply chain risk management” documents abound for you to assess the threat and critique the safety of what brings that classified component from its maker to you, the user.
the threat starts long before the end user
Consider this: In World War II, the threat to supplies was palpable. German submarines were sinking our supply ships going to Europe. So, convoy departures, routes, and components were closely guarded secrets. “Loose lips sink ships” came from this fact. Today, we have computers which do most of our daily work. As end users, we are cognizant of what we must do to preserve what is secret on such devices.
But where do the computers come from in the first place? Is someone in the company hierarchy aware of the manufacturer, transportation, and delivery mechanism of such devices? Why you might ask? Well, a recent study shows that what could maliciously infect even a free-standing (non server connected) computer system before it ever arrives at your office. A time bomb type malware could be placed in a component of your computer, set to ‘go off’ when an adversary no longer has need of what he is sucking from your message traffic. Know your supply chain, and who has, or had, access to it.
What’s the Official Guidance on the Classified Supply Chain?
Most laymen wouldn’t begin to know about such things, and thus the government has created a host of protections which are available for review and use. A National Strategy for Global Supply Chain Security was signed by the president. This gives guidance on how the nation will implement protections against natural and man-made disasters, including crime and terrorism. Not only the physical distribution of things is addressed, but also communications is considered. Why? If you can’t communicate, you can’t act. We all dread the potential collapse of our electrical grid, but what we really fear is the utter inability to use any of our electronics. And this of course includes computer security.
The National Institute of Standards and Technology has written an excellent guide, Supply Chain Risk Management for Federal Information. This guide is created to help us know what is at risk, and how to defend it. It states, “Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing practices within the ICT supply chain. These risks are associated with the federal agencies’ decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated, and deployed.” The document goes on to advise on how agencies can identify, assess and mitigate such risks.
Counterintelligence officers should be aware that their mission involves detection and deterrence of threats before they are deployed against us. The farther from the end user we can protect ourselves the better. This can be done with a wise assessment of the supply chain necessary to bring our supplies to us. Once that chain is identified, a threat assessment can be made. With that in hand, action can be prioritized. But first you have to know to ask the question, “Where did that come from?”
