PDDNI DIXON REMARKS AT NCSC'S ANNUAL SUPPLY CHAIN TECHNICAL EXCHANGE CONFERENCE

PDDNI DIXON REMARKS AT NCSC'S ANNUAL SUPPLY CHAIN TECHNICAL EXCHANGE CONFERENCE

 

Principal Deputy Director of National Intelligence Dr. Stacey Dixon

Remarks As Prepared for Delivery

NCSC's 10th Annual Supply Chain Technical Exchange Conference

NGA Campus

Springfield, Virginia

April 24, 2024

 

(Deputy Director) Tonya (Wilkerson): Thank you for hosting us, and for your introduction. Every time I am here with you and Vice Admiral (Trey) Whitworth, I feel as if I am coming home because of the warm welcome you give me and my colleagues at ODNI.

I have always known that NGA is an outstanding partner in the Intelligence Community, and hosting today’s conference and the collaboration with ODNI’s National Counterintelligence and Security Center over the past decade is an example of that close partnership.

Thank you also to those at NCSC: Michael (Casey), Jeanette (McMillian), and their entire staff for the work that made this conference possible. It is a tremendous undertaking, and an example of the leadership that we need in areas of vital importance to national security, such as ensuring the integrity of our critical supply chains.

On this, the tenth anniversary of the conference, we can look back at how far we have come. The profile of cyber and digital infrastructure supply chain security has been recognized and raised, and, even more importantly, the IC has improved our supply chain security. At the same time the threats have continued to multiply in number and in intensity.

We can see this clearly in the growing discussions about topics related to supply chain integrity, and the impact supply chain-related topics have had on the lives of Americans, in ways we just did not see a decade ago.

From the public’s perspective, they often hear of ransomware and hacktivist attacks, and in fact, they are often the victims of them: attacks on hospitals, on pipelines and electric grids...of personal information being held hostage. They read about platforms like TikTok and Huawei, and the threats posed by the PRC through those and other platforms. While these challenges are nothing new to those here, these discussions have in many respects reached a critical mass, and they have affected, and informed, policymakers and lawmakers.

Yet what the public knows is not the whole story. What makes the news are just a few of the many, regular, stealthy and covert attacks on a wide array of digitally-enabled capabilities on which we rely. Most attacks are, by design, hidden, with their frequency and sophistication growing, including from state supported actors, on an increasingly large number of vulnerable targets.

The public may not know all the details about SolarWinds, or the OPM data breach, or the Storm 0558 breach last summer, but you do... and you know that these are not the only penetrations that have caused enormous damage in recent years.

In fact, in 2023 there was an all-time record number of data breaches in the United States: 72 percent more than in 2021, which had previously been the record holder. All these breaches... every single one... was enabled by a cyber attack.

And in spite of our collective efforts to understand and counter them, this threat is not receding: It is growing and evolving. That is why this conference, and your attendance here today to take on this growing challenge as a community, is so important.

When this conference started as a technical workshop a decade ago, it originated as the bright idea of a few counterintelligence experts, and some technical industry SMEs: The concept was to come together to discuss and share insights on supply chain integrity and risks from their different perspectives.

Even back then, the Intelligence Community was forecasting that supply chains, particularly cyber supply chains, would increasingly come under attack. In 2014, DNI (James) Clapper was already raising the alarm regarding the IT that the IC acquired and used for its mission. He recognized that the number of denial-of-service attacks, attacks that delete information, and the spread of malware in IC systems was only going to continue to grow...and they have.

Ten years ago, for the first time, Director Clapper told IC elements to incorporate supply chain security into IT acquisitions, share supply chain threat information, and work with stakeholders to mitigate our supply chain risk.

Fast forward to today… While this event’s scope and scale has expanded, the basic purpose remains the same: To ensure that we have trusted and assured supply chains for the technology and tools we need to support our Intelligence and Defense Communities, and raise awareness within the USG more broadly. The continued growth and increased participation in this conference is, to me, a demand signal that we need more supply chain security and risk information sharing, and this is something the DNI and I are committed to doing.

For those of us in the Intelligence Community, our Supply Chain Risk Management (SCRM) integrity efforts include supply chains for cutting edge capabilities in quantum sensing and computing, cryptology, Artificial Intelligence; microelectronics and integrated circuits; genetics and biotechnology, as well as those technologies used in the space, air, land, and sea domains.

It is no surprise to those here that these also happen to be areas that the People’s Republic of China has identified in their plans as top priorities, in which to develop and overtake the United States. They are willing to do so by any means. This includes espionage, theft, or through many seemingly legitimate corporate or academic relationships that advance their objectives, enhance their capabilities... and compromise or curtail ours, and those of our allies.

While the PRC is far from the only threat we face, it is an unparalleled one. As FBI Director Chris Wray recently said, the PRC engages in wholesale theft of our innovation and of personal and corporate data, with their cyber threats made vastly more dangerous by the way they knit cyber into a whole-of-government campaign against us.

This is why the DNI has made promoting resilience in our nation’s critical infrastructure, and securing critical supply chains a top priority, as seen in our investments, and in the National Intelligence Strategy.

If we fall victim to the PRC or any adversary that attempts to penetrate our systems, many of the advantages we have not only disappear, but turn into disadvantages. As a consequence, even if we “run faster,” we will find ourselves falling behind, which is why ensuring supply chain integrity for critical capabilities is a no-fail mission.

When it comes to supply chains, we are only as strong as our weakest link. That is why we need to bring together those from across the entire supply chain community to discuss the evolving threat landscape:: customers and end users, those building and providing the capabilities, and those defending the capabilities.

This conference is an opportunity to hear from technology experts in government and industry on the impact supply chain attacks have had on their enterprises, and how together we can help identify, defend against, and counter them. It is a chance for us to secure the digital thread, from beginning to end.

The conference includes sessions about how we can guard against third party risks and insider threats; how we can prepare for supply chain shocks; and what steps we can take to increase our resiliency. There are sessions on supply chain integrity for microelectronics, the space ecosystem, AI roadmaps, and telecom security.

To help frame these discussions, NCSC and their partners in SCRM have developed a catchy thematic acronym, ACE: Ensuring supply chain integrity through Acquisition, Cyber, and Enterprise security, and the importance of incorporating all three disciplines into SCRM programs. When this happens, it ensures that you are always “aces high” and have your “ace on base” through the use of programs that incorporate not just your bottom line, but the bottom line needs of your customers and their expectations.

That leads me to the new SCRM guidance that ODNI and NCSC have developed to help provide a framework for assessing supply chain risks from multiple threat vectors.

Based on the process risk assessment developed by NIST, this SCRM guidance encourages organizations to understand supply chain risks when considering their risk tolerance, particularly as they incorporate critical technologies into their ecosystem.

To give an analogy: What are the SCRM risk tolerance expectations for suppliers of critical elements in a spaceship, a satellite, or a jet fighter? What happens when there are vulnerabilities in your critical technology, your code, or your product? Our new SCRM guidance helps capture this, and frames options for both decision makers and those who are responsible for implementing supply chain integrity assessments for the products and services we use.

I know these are not easy decisions to make corporately. I understand the need to focus on cost, schedule, and performance as stewards of taxpayer dollars.

However, if our suppliers are not incorporating supply chain security into their risk assessment, then we cannot determine the integrity of the products we use for our missions, putting everyone at risk.

This starts with the primes... then flows down to their subs, and to their subs to the nth degree…all of whom take on targeted risk from state actors, particularly for the kind of complex technologies we need to advance the IC’s mission. These risks are overlapping.

Yet it is important to understand that there is a process, and there are certain expectations...and we in the IC must also seek to increasingly speak with one voice and to quantify all the risk. We must more effectively incentivize industry partners to find risk, and to make the phrase, “know your supplier” as commonplace as the phrase “know your customer”. We must do better at understanding, estimating and taking steps to counter risk, increase resilience, and enhance our ability to detect and defend against those seeking to corrupt our supply chains. And I know that in order for this to happen, it must be done collaboratively and as a Community, because this risk is shared, and so must be the rewards for mitigating the risks.

While you are here at this conference, I want you to think about what we can do to achieve a higher level of supply chain integrity: Who is doing this best in class, and how did they get there? What is it that the ODNI, leveraging the authorities of all 18 elements of the IC, can bring to bear so that we can harden critical supply chains against determined and relentless threats?

I don’t pretend to know all the answers, but I do know that supply chain integrity is an intelligence problem, and its solution is also rooted in the information we collect, the analysis we perform, and the insights we deliver.

I also know that we cannot do this alone, and we welcome external partner engagement and ideas on how we can develop the right balance between the robust, dynamic, and innovative tech ecosystem that we need, with the security we must have. Finding that sweet spot is mission critical not only for the here and now, but for the future of our country, our people, and the values and freedoms that we cherish.

These things not only motivate us, but I believe it is those very freedoms that are the “ACE up our sleeve” in the strategic competition we are in, and as we seek to successfully develop and deploy the innovations we produce. These innovations must also include protections for the most critical technologies, systems and capabilities that we have, and that we must continue to develop to stay ahead globally.

So whatever hand you’ve been dealt, don’t hold your cards too tight. Rather than playing against each other, recognize that we are playing on the same team. And unlike in poker, bid whist, gin rummy, blackjack and other card games, we can all be winners.

Thank you.

 

###

Archive