Richard Clarke
Richard Clarke
In the eleventh hour, the Administration has made a gesture signifying that it finally recognizes the role cybersecurity plays in our nation's security – a case those of us engaged in this issue have been making for almost two decades. The release of the classified NSPD 54/HSPD 23 in January and the subsequent establishment of the National Cyber Security Center reflect an understanding that government actions over the past five years have been ineffective – and a recognition of the ease with which China and Russia have hacked into our computer systems. 

One possible outcome of this Directive should be that government ensures the private sector is accountable for the authenticity and legitimacy of its products. Supply chain security is critical to a national cybersecurity strategy and vendors must wake up to their responsibilities. 

The private sector must accept its role as an instrumental voice and will lose big if it does not take its role seriously. Vulnerabilities in the supply chain are a weak link in our line of defense and vendors have an obligation to ensure their products are safe or they will pay a hefty price: loss of public sector business. And, the country may pay the greatest price of all.

The government must ask the private sector difficult questions regarding software assurance and the private sector must respond. How does a company implement best practices for software security and how will the vendor ensure that the contractors in its global supply chain implement these best practices?

If the private sector wants to avoid government regulation, it needs to establish its own rules that meet the highest standards set by one of its most demanding clients: government. Industry must take responsibility for the legitimacy of its hardware and hardware manufacturers should be held accountable. 

The burden of supply chain security lies with both the public and private sector.  Government must execute necessary leadership in demanding that the private sector maintains appropriate security standards; the private sector must recognize and fulfill its obligation as a purveyor of some of our most critical security components. Vendors are obligated by good business practice, ethics and their influence on state security to ensure the integrity of their product. The private sector must appreciate its role in national security and act accordingly. Efforts such as SAFECode – a consortium of software manufacturers focused on building a repository of best practices and procedures for securing software – represent a good start.

The Presidential Directive affords this administration a final opportunity to acknowledge the cyber challenges that threaten our national security. Our increasing dependence on cyber infrastructure cannot continue without appropriate measures to address the current and future security threats. This administration must confront the weaknesses in supply chain security and direct the government to collaborate with the private sector to ensure supply chain resiliency. 

One of the most forward-looking components of the Directive is its admission that any strategy taken today is part of a long-term policy that will evolve into the next administration. It is good to see that after eight years this administration is finally getting its act together.



Richard A. Clarke is chairman and Kiersten Todt Coon is a principal at Good Harbor Consulting, LLC
.