Although cyber threat detection and prevention in the private sector supply chain has lately become a federal regulatory agenda item, it could be four years until policy coalesces and tools exist to enforce that policy, said Melissa Hathaway, president of Hathaway Global Strategies and former acting senior director for cyberspace on President Obama's National Security Council.

Public-private partnerships and interagency collaboration--especially from the Homeland Security Department, National Security Agency, FBI, National Institutes of Standards and Technology, and General Services Administration--will be critical to addressing this threat. But public-public partnerships should also extend beyond U.S. borders, said Hathaway while speaking Nov. 19 at a CyberSecurity Seminars-sponsored event in Washington, D.C.

"It's a global [information and communication technology] market and it's going to require global cooperation to solve this problem. Anyone who thinks the United States can go it alone is wrong," Hathaway said.

"We need to think about how we're going to partner with like-minded nations and non like-minded nations," she added.

Given a weak economic climate that could continue for several years, Hathaway does not foresee the United States adopting a protectionist, indigenously-manufactured or -coded acquisition policy. Design and manufacturing that considers security at the initial stages should be written into the service level agreements of federal acquisition, and should be built upon global, mutually recognized standards, she said.

The problem is too big for any single entity to manage and at some point, said Hathaway, every corporation will have to attest to the integrity and security of its infrastructure. Treating supply chain cybersecurity as a risk management and governance issue would bring more visibility and improvement in this area, she added.

"I think from a managed service security provider and those providers of our core infrastructure, if we actually forced them, required them, to provide more of the security service for all of us so that there was less malware coming in, and/or data loss going out...we'd be draining the swamp and beginning to focus on the really hard problems," said Hathaway.

Related Articles:
DHS could rate software manufacturers according to their supply chain
Commission: China Telecom routed .gov and .mil traffic to Chinese servers 
DHS official: Variants of Stuxnet could attack industrial systems 
SASC would allow DoD to exclude companies over supply chain practices