At a glance.
- A social contract for cyberspace?
- Diverse (and potentially confusing) approaches to supply chain risk management.
Moral obligation in cyberspace.
What do we owe each other in the digital world? When T.M Scanlon posed his question, he probably never imagined his moral philosophy would one day be applied to a world that exists solely in cyberspace. An essay in Foreign Affairs by Chris Inglis (US National Cyber Director) and Harry Krejsa (Acting Assistant National Cyber Director for Strategy & Research) explores the difficulties of applying ethical guidelines to a cyber-ecosystem where private information is at the mercy of malicious tech easily accessible to digital predators. Individuals, small businesses, and local governments are often forced to bear the burden that should be taken up by larger corporations and federal governments more capable of establishing collective protections. Only through collaboration and a strategic, regulatory framework that works from the top down, the authors argue, will bad behavior be punished at a rate that actually deters cybercriminals. The White House is off to a good start, requiring federal agencies to patch known vulnerabilities and implement zero-trust architecture, but unprecedented cooperation between the public and private sectors will be required for such mitigation strategies to trickle down to industry.
Various US Government approaches to supply chain risk management.
This week, the US National Institute of Standards and Technology (NIST) released a request for information (RFI) on updating its Cybersecurity Framework as it applies to supply chain risk management (SCRM). As the Federal News Network notes, lawmakers have been grappling with the issue of securing the supply chain since 2018’s SECURE Technology Act, and NIST is the latest of at least half a dozen agencies that have requested feedback from the private sector on SCRM in the past four months. A January RFI from the Centers for Medicare and Medicare Services (CMS) states, “The need for scrutiny of supply chain risk was highlighted during the 2020 cybersecurity breach where several federal government information technology (IT) systems were compromised by foreign adversaries.” While CMS is looking for feedback about potential threats from code in hardware and software, a recent RFI from the General Services Administration is focused on contracts connected with the Federal Acquisition Security Council (FASC). The Department of Homeland Security took a different approach; instead of issuing an RFI, DHS will be sending a questionnaire to contractors about their cyber hygiene practices as a prerequisite for being granted a contract award. Most recently, Congress issued eight provisions related to the Defense Department’s management of its supply chain in the Defense Authorization Act of 2022.