Advertisement

Supply-chain vulnerabilities are a ‘digital public health crisis,’ says DHS’s Manfra

Persistent supply chain vulnerabilities such as hardware and software bugs “amount to a digital public health crisis” that the government and private sector must work together to resolve, according to the Department of Homeland Security’s top cybersecurity official.
Jeanette Manfra speaks April 16, 2018, at CyberTalks in San Francisco. (CyberScoop)

Persistent supply chain vulnerabilities such as hardware and software bugs “amount to a digital public health crisis” that the government and private sector must work together to resolve, according to Jeanette Manfra, the Department of Homeland Security’s top cybersecurity official.

“We must begin to think in terms of global digital public health, where the decisions of each of us have the potential to affect us all,” Manfra said Monday at SF CyberTalks presented by CyberScoop ahead of the RSA Conference in San Francisco.

Manfra, DHS’s assistant secretary for the Office of Cybersecurity and Communications, said that security tools need to be pushed further down the supply chain “to prevent unseen and unknown risk transmitting from vendors to infrastructure.”

DHS earlier this year established a supply chain program that provides cyber risk assessments to critical infrastructure firms and federal agencies on products they may acquire or deploy.

Advertisement

The supply chain is a logical pathway for hackers targeting critical infrastructure. In early April, a cyberattack on billing software disrupted customer transactions for a network of U.S. natural gas pipelines. The incident did not threaten gas companies’ critical operating systems, but it was a reminder that supply chains are in hackers’ crosshairs.

Risk assessment requires “visibility into an often-opaque supply-chain process and a clear understanding of the threat,” Manfra told a crowd of public and private-sector cybersecurity executives.

Manfra also pledged that the U.S. government would continue to publicly call out malicious cyber-activity, adding that such “naming and shaming” must be paired with punitive measures to be effective.

“Our most capable adversaries have stepped up efforts to conduct ‘gray-zone’ cyber-operations to achieve objectives in areas where they are unable or unwilling to compete normally,” Manfra said.

Her comments came as the American and British governments announced that hackers backed by the Russian government had carried out a coordinated campaign against internet traffic routers worldwide.

Advertisement

Private companies have an important role to play in thwarting hackers by “coordinating takedowns, sink-holing, and strategic software updating and patching,” Manfra said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts