The massive exploit of the company Solar Winds has been seen as an example of what is called “supply chain” vulnerability. In point of fact, the vast majority of those impacted by the Russian Solar Winds attack probably had never heard of the company Solar Winds, and did not know that they were dependent upon that company for critical infrastructure.
Indeed, modern supply chains, manufacturing, technology and internet and telecommunications networks are dependent upon complex webs of supply chains — or more accurately supply webs — which are vulnerable to disruption and attack. While defense contractors, the intelligence community and the Department of Defense attempts to address this problem, for commercial entities, supply chain security can be the difference between being able to deliver products and services effectively or being out of business. Yet it is incredibly complex and difficult even to identify what your supply chain is, and your dependencies. There are some things you can do today, from a practical and legal standpoint, to ensure greater visibility into your supply chain, and better security and resilience of your supply chain.
Virtually Every Commodity Has a Supply Chain, Making Every Commodity Vulnerable
An example: Milk
Take something as simple as a glass of milk. What is the “supply chain” necessary for that glass of milk? At its most basic, all you need for a glass of milk is a glass and a cow, and you probably can get by without the glass. But the “supply chain” of that glass of milk can be very complex, and can include the land, the grass, the water, the fertilizer, the runoff, access to the land, the supply of cattle, the feed, the manure (removal), the infrastructure (barns, troughs, etc.), the milking machines, electricity, storage, refrigeration, transportation, pasteurization, cartons, labels, advertising, promotion, transport to stores with their own infrastructure. Then the customer has to go to the store, buy the milk, take it home, refrigerate it, and, of course, find a glass. We can make the supply chain even more complicated when we take into account the supply chain necessary to make the milk transport truck work, or the supply chain necessary to make sure we have electricity, or the supply chain necessary to ensure that vendors, suppliers and retailers can all be paid (banking, payment transfer, Internet payment systems). We can complicate it even further if we add the computers, routers, hubs, necessary for all of this to work. And even further, we can add the chips, software, code and other things necessary for those computers and routers to work. And finally, there is the supply chain of people necessary to make all of this work — which can include things like skills, recruiting, background checks, and the infrastructure necessary to get them to the farm, factory or office. All that for a glass of milk.
It would be impossible for a dairy to be expected to know the entire interdependence and provenance of the supply chain. It should know where it is getting its feed, its machines, and transport to the processor, and have some insight into the risks associated with at least those infrastructures. Is the feed safe? Has it been contaminated? Is the supply reliable? Do I have a backup supplier for feed, and is their feed safe? Things like that.
Know Your Risks
For any company then, the first step in “supply chain” security is to attempt to identify the critical supply chain, and the risks and impacts associated with supply chain failures. Failures can include disruption (e.g., your essential product is on a ship blocked in the Suez canal), contamination, or general lack of protection. Typically we look at what we call “CIA” – risks to Confidentiality, risks to Integrity, and risks to Availability. So look at what your business is, and what it is dependent upon. Identify the key players in your risk environment – vendors, suppliers, communications, Internet, transportation, etc. Include those with access to your computers and networks, cloud providers, service providers, and others. Essentially, what do you need to stay in business. Upon whom are you dependent.
Can A Business Be Liable For Security Vulnerabilities in Their Supply Chain?
Supply chains, at their core, involve relationships. These relationships are frequently defined by contracts which can be explicit or implied. When you buy a CAT-6 cable from your local Staples, Best Buy or even drug store, there is an expectation (by you) that the cable will not only do what it is supposed to do, but also that the cable does not have a surveillance chip in it that is designed by the GRU in Russia to send your communications to someone in St. Petersburg. You expect that the local CVS bought the cable from a reputable supplier, who bought it from a reputable manufacturer, who in turn maintained control over the manufacturing and transportation to market process. You also expect that CVS had some process to prevent someone from walking into the store and swapping out “real” CAT-6 cables for these Russian “enhanced” cables. You expect supply chain security. But, from a legal standpoint, is this expectation reasonable? After all, there’s no formal contract between you and CVS. You just bought a cable.
Reps and Warranties
The sales transaction is generally covered under Uniform Commercial Code Section 2. When you sell something, you don’t just sell the product. You warrant and represent that the thing you are selling is free from “defects,” that it is what if purports to be, and that it is “fit” for its intended use. A breach of the supply chain that alters the character of the goods sold may result in a breach of the warranty of fitness or other warranties and expose you to liability just as much as listeria that sickens people who drink a tainted glass of milk. Thus, supply chain security is necessary in order to live up to express or implied warranties about products or services. If you agree to paint someone’s house, and you can’t get paint because the paint company’s product is on that same barge in the Red Sea, you may be liable for breach of contract. In more formal contracts, you may be committed to delivering a product of a particular quality at a particular time, and supply chain security problems may result in your breach of these agreements.
Additional Liability: Negligence
Additional liability may be imposed under a tort theory. Companies that fail to protect their supply chains may be deemed to be reckless or negligent, and may have a duty to vendors, suppliers, or consumers to do what they are supposed to do.
Don’t Panic Yet: Pushback Against Supply Chain Security Liability
A supply chain is, by definition, an interdependency. The problem with using either contract or tort law to enforce supply chain security is that, to sue under contract your often have to be in “privity” of contract — you may have to be a party to the contract or the recipient of the promise. The company that buys the “defective” CAT-6 cable can likely sue CVS, but can they sue the trucking company that delivered the cable, the company that heat sealed the cables, the company that manufactured them, or the engineer that designed them under a breach of contact theory? Probably not.
Even under a tort theory (negligence) to be successful, an injured party would have to show that the party that failed to secure the supply chain had some duty of due care to THEM, and that it was reasonably foreseeable that THEY would be harmed as a result. Could a person who was unable to get life saving medicine at the local Eckerts drug sue the operator of the boat which clogged the canal (which boat had no medicine on it?) Supply chain tort liability is probably broader that contract liability, but there are significant limits to who can be sued and for what.
This is significant because liability — and potential liability — drives action. If you have liability for a supply chain failure, then you will expend resources to mitigate that risk. If not, then you might not.
Get it in Writing
In the short term, the most effective way to mitigate supply chain security is to:
- Identify your supply chain of products and services
- Identify the risks associated with those vendors or suppliers on that supply chain
- Obligate those in the supply chain to take reasonable steps to both mitigate THEIR risks, and identify and mitigate the risks associated with THEIR supply chains. It’s an endless game of finger pointing. In contracts, purchase orders, statements of work, or other legal arrangements with critical providers, you need to identify what you want them to do from a supply chain, security, availability, and confidentiality standpoint, what standards you want them to adopt, how you want them to certify or audit compliance, and what consequences will ensue if they fail to comply.
- Identify any regulatory supply chain or security requirements that you expect them to comply with.
- In addition, you want them to “push down” these requirements on any of THEIR vendors of suppliers (or at least those that are critical to your process), and impose liability to your vendor if THEIR vendor fails.
This will also mean that YOUR vendors and suppliers will seek to impose the same standards on you — and you need to be prepared to meet these challenges. With great power comes great responsibility.
Conclusion: Know Your Supply Chain
Supply chain security is monumentally difficult. For the short term, it is important for companies to identify critical dependencies in its supply chain and prepare for resiliency of those supply chains, while imposing both duties and liabilities on those upon which they depend. This will take time, energy and resources — as well as careful negotiation and drafting. In the end, however it may be the difference between having or losing a company, and having to cry over spilled milk.
To learn more about cybersecurity for businesses, please visit our Cybersecurity and Data Privacy Page. If you would like to reach me about supply chain security, don’t hesitate to send me an email at firstname.lastname@example.org.