That was one of the takeaways of “Making Sense Out of Supply Chain Chaos,” a panel held on July 19 as part of the International Conference on Cybersecurity (ICCS 22). The conference was held at Fordham’s Lincoln Center campus and sponsored by Fordham and the FBI.
“People are aware that we were very dependent as a nation on a supply chain from a particular area of the world for electronics and medical equipment in the early part of 2020, and steps needed to be taken to remedy that,” said A. Joseph Jay III, a partner at the law firm Sheppard Mullin who represents corporations in matters before the government offices such as the U.S. Department of Justice.
“But I don’t think people were aware of just how much we were dependent upon information and communications technology to connect the supply chain. Over the last 28 months, we’ve seen an explosion in cybercrime in which foreign or domestic threat actors are disrupting the supply chain by engaging in hacks.”
The panel was moderated by CNN investigative journalist Evan Perez, and also featured Robert Costello, chief information officer at the federal Cybersecurity and Infrastructure Security Agency.
It covered many of the challenges faced by sectors that are mostly overseen by the private sector whose incentives do not always align with law enforcement. Shipping, for instance, is run by private firms, as are many aspects of port operations.
Michael W. David, Ph.D,, a professor of science and technology intelligence at the National Intelligence University, noted that 70% of the world’s container cranes that are large enough to service the biggest container ships are manufactured by a single Chinese firm.
“Most of the cranes operate on software, and the operating systems are provided by that country,” he said.
“What does that mean? That means they have cyber access to those cranes globally. They could conceivably cause something to happen in those cranes to just stop. You wouldn’t even need submarines or ships to create a blockade.”
David noted that Florida U.S. Representative Carlos Gimenez has proposed a law addressing the issue, but it’s unclear whether it will ultimately pass.
All the panelists agreed that the ransomware attack on Colonial Pipeline on May 21 was a watershed moment for cooperation between the private sector and the government. Although the company paid $4.4 million to hackers to restore its computer systems, it worked with the government to address the problem. Ultimately, the Department of Justice recovered half of the payment, and disruption of gasoline distribution to the United States was only minimal.
“When the Colonial Pipeline incident occurred, I think we saw a bit of a sea change in that model, where people understood that ‘Yes, the government can be good,’ and the government can be helpful, particularly with the speed and alacrity with which it resolved that issue,” said Jay.
“Had the pipeline company not contacted law enforcement and taken what might have been a more traditional tact, that story might have ended up very differently.”