http://homelandsecuritynewswire.com/us-supply-chain-cyber-security-weaker-mo re-vulnerable-thought
U.S. supply chain cyber-security weaker, more vulnerable than thought Published 8 December 2010 New study finds that the U.S. supply chain may be even more prone to cyber-attacks than commonly believed; the alarming study shows how vulnerable the businesses behind the U.S. supply chain and resources network -- goods and services forming the backbone of the country's well-being and economy -- are to cyber-attack New research from a IT strategy firm has found that the U.S. supply chain may be even more prone to cyber-attacks than commonly believed. The Enterprise Strategy Group <http://www.enterprisestrategygroup.com/> (ESG) unveiled research late last month showing how vulnerable the businesses behind the U.S. supply chain and resources network - goods and services forming the backbone of the country's well-being and economy - are to cyber-attack. ESG found that in the past two years most of them have been breached, many more than once. Only a few employ cyber-security best practices for the supply chain. Govtech.com quotes <http://www.govtech.com/pcio/Supply-Chain-Cyber-Security-Could-Be-Weaker.htm l> Jon Oltsik, ESG principal analyst and the author of the report <http://www.enterprisestrategygroup.com/media/wordpress/2010/11/ESG-Research -Report-Cyber-Supply-Chain-Security-Nov-10.pdf?utm_source=website&utm_medium =reportpage&utm_campaign=cybersupplychain> , "Assessing Cyber Supply Chain Security Vulnerabilities within the U.S. Critical Infrastructure," to say that these are eye-opening findings. "The assumption was that the U.S. critical infrastructure is very vulnerable to some kind of cyber-attack, but to my knowledge, and I dug fairly hard, no one had ever quantified that," he said. "No one had ever done research to figure out just how vulnerable or if that was true, and so we wanted to do that." He and colleagues John McKnight, vice president of research; and Jennifer Gahm, senior project manager of market research, surveyed 285 IT and business leaders from public and private organizations, including federal and local government employees. The researchers selected participants from eighteen industries deemed "critical infrastructure" by DHS. The ESG report classifies them as critical infrastructure and key resource (CIKR) groups. "Everyone is under attack to a greater degree than they were a few years ago. The difference, I'd say, is that these industries have a target on their back," Oltsik said. Regulation has hardened the cyber-security of banks and other financial institutions, so criminals are targeting elsewhere. "If you wanted to disrupt the U.S. economy, you might do things like try to take out the power grid, try to disrupt the money supply or the financial system, try to disrupt the telecommunications networks. Those are the kinds of things that we're really concerned about with critical infrastructure protection," he said. Sixty-eight percent of respondents experienced at least one security breach in the past twenty-four months, and 13 percent experienced more than three. Yet only 26 percent said they were very familiar with the cyber-security supply chain model <http://www.saic.com/news/resources/Cyber_Supply_Chain.pdf> , internal risk management and security practices designed to keep CIKR organizations safe. Thirty-seven percent said they were somewhat familiar, 22 percent said they'd heard of them but weren't familiar, and 14 percent said they hadn't heard of them. Other report data include the following: * 40 percent of respondents said today's threat landscape is somewhat worse than it was 24 to 36 months ago, 28 percent said much worse, 20 percent said the same, 6 percent said somewhat better, 2 percent said much better, and 4 percent had no opinion. * 56 percent rated their internal policies and procedures as good, 22 percent said excellent, 18 percent said fair, 2 percent said poor, and 2 percent didn't know. * After asking respondents questions about their security policies and safeguards, ESG deemed that 30 percent had strong cyber supply chain security, 36 percent found to be marginal, and 34 percent were weak. Govtech.com reports that some survey questions were designed to discern respondents' attitudes about outside parties, such as if they considered IT vendors' security process when they made software purchases or if they held system integrators accountable for the security of systems they helped develop or design. The questioning suggests that modern cyber-security is an intricate affair. "That's true, but I would argue that that's the cost of doing business now," Oltsik said. "If we're going to let people pay their electric bills online, or if we're going to connect our internal systems to other people's systems, if we're going to buy equipment and build new applications to automate processes, it's the cost of doing business." A whopping 71 percent of respondents felt the federal government should be more active with cyber-security strategy and defenses. Oltsik said he feels that recent administrations haven't moved fast enough to keep up with a digital world that's becoming more dangerous. "There is more focus on it than there was a few years ago, but the legislative process is slow, and cyber-security issues are light speed, and the more there's a mismatch, the longer it takes, the bigger the gap gets," he said. [Non-text portions of this message have been removed] ------------------------------------ -------------------------- Want to discuss this topic? Head on over to our discussion list, [email protected]. -------------------------- Brooks Isoldi, editor [email protected] http://www.intellnet.org Post message: [email protected] Subscribe: [email protected] Unsubscribe: [email protected] *** FAIR USE NOTICE. This message contains copyrighted material whose use has not been specifically authorized by the copyright owner. OSINT, as a part of The Intelligence Network, is making it available without profit to OSINT YahooGroups members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of intelligence and law enforcement organizations, their activities, methods, techniques, human rights, civil liberties, social justice and other intelligence related issues, for non-profit research and educational purposes only. We believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtmlYahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/osint/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/osint/join (Yahoo! ID required) <*> To change settings via email: [email protected] [email protected] <*> To unsubscribe from this group, send an email to: [email protected] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
