Supply Chain Security – Not As Simple As It Sounds
SolarWinds’ massive exploit is a prime example of what is called a “supply chain” vulnerability. The vast majority of people affected by the Russian SolarWinds attack probably had never even heard of the SolarWinds company and did not realize that they depended on this company for critical infrastructure. This is because modern supply chains, manufacturing, technology, and Internet and telecommunications networks depend on complex networks of supply chains – or, more specifically, supply networks – that are vulnerable to disruption and disruption. attacks. While defense contractors, the intelligence community, and the Department of Defense all try to solve this problem, for business entities, supply chain security can mean the difference between being able to provide products and services efficiently or go bankrupt. Yet it is incredibly complex and difficult even to identify what your supply chain is and identify your dependencies. There are some things you can do today, from a practical and legal standpoint, to provide greater visibility into your supply chain and better ensure the security and resilience of your supply chain.
A glass of milk
Take something as simple as a glass of milk. What is the âsupply chainâ required to put that glass of milk in your hand? Basically all you need for a glass of milk is a glass and a cow, and you can probably get by without the glass. But the “supply chain” for this glass of milk can be very complex and can include land, grass, water, fertilizer, runoff, access to land, livestock supply. , feed, manure (removal), infrastructure (barns, troughs, etc.), milking machines, electricity, storage, refrigeration, transport, pasteurization, cartons, labels, advertising, promotion, transport to stores with their own infrastructure. Then the customer has to go to the store, buy the milk, bring it home, refrigerate it and, of course, find a drink.
We can make the supply chain even more complicated when we take into account the supply chain needed to run the milk transport truck, or the supply chain needed to make sure we have electricity. , or the supply chain necessary to ensure that sellers, suppliers and merchants can all pay off (bank, wire transfer, Internet payment methods).
We can complicate it even more if we add computers, routers, hubs, etc. necessary for this to work. And even further, we can add the chips, software, code and other things needed to run these computers and routers. And finally, there’s the supply chain of people needed to do all of this work, which can include things like skills, recruiting, background checks and the infrastructure to get them to the farm, to the farm. factory or office. All that for a glass of milk.
It would be impossible for a dairy to expect to know all the interdependence and provenance of the supply chain. It should knowing where it gets its power, its machines and understanding how the transport to the processor works, as well as having an idea of ââthe risks associated with at least these infrastructures. Is the food safe? Has he been contaminated? Is the supply reliable? Do I have a back-up supplier for the feed and is the feed safe? Things like that.
Know your risks
The first step in âsupply chainâ security for any business is therefore to attempt to identify the critical supply chain and the risks and impacts associated with supply chain failures. Failures can include disruption (for example, your essential product is on a ship stranded in the Suez Canal), contamination, or a general lack of protection.
Typically, we look at what we call CIA: privacy risks, integrity risks, and availability risks. So take a look at what your business is and what it depends on. Identify the key players in your risky environment: vendors, suppliers, communications, Internet, transport, etc. Include those who have access to your computers and networks, cloud providers, service providers, and more. Basically what you need to stay in business. Who do you depend on?
Representatives and guarantees
Supply chains, at the base, involve relationships. These relationships are often defined by contracts which can be explicit or implicit. When you buy a CAT-6 cable from Staples, Best Buy, or even a drugstore, you expect the cable to not only do what it’s supposed to do, but also the cable to have no chip. surveillance designed by the GRU in Russia to send your communications to someone in St. Petersburg.
You would expect the local CVS to have purchased the cable from a reputable supplier, who purchased it from a reputable manufacturer who in turn maintained control of the manufacturing process and transport to market. You would also expect CVS to have a process in place to prevent someone from entering the store and swapping “real” CAT-6 cables for those “upgraded” cables. You expect supply chain security. But, from a legal point of view, is this expectation reasonable? After all, there is no formal contract between you and CVS. You just bought a cable.
The sale transaction is generally covered by Uniform Commercial Code Section 2. When you sell something, you are not just selling the product. You warrant and represent that the thing you sell is free from “defects”, that it is what it claims to be and that it is “fit” for the use for which it is intended. A violation of the supply chain that alters the character of the goods being sold can result in a breach of the fitness or other warranties and expose you to liability just as much as if listeria makes people who drink a drink sick. of contaminated milk. Thus, the security of the supply chain is necessary to live up to the express or implied warranties concerning the products or services. If you agree to paint someone’s house and can’t get paint because the paint company’s product is on that same barge in the Red Sea, you could be held responsible for a breakage. of contract. In more formal contracts, you can commit to delivering a product of a particular quality at a certain point in time, and supply chain security issues can lead to your violation of these agreements. Additional liability may be imposed under a tort theory. Companies that fail to protect their supply chains can be seen as reckless or negligent and may have a duty to sellers, suppliers or consumers to do what they are supposed to do.
A supply chain is, by definition, an interdependence. The problem with using contract law or tort law to enforce supply chain security is that, in order to sue under a contract, you often have to be “privy” to the contract – you may need to be a party to the contract or the recipient of the promise. The company that purchases the “defective” CAT-6 cable can probably sue CVS, but can it sue the trucking company that delivered the cable, the company that heat sealed the cables, the company that made them? or the engineer who designed them under a breach of contract theory? Probably not. Even under a tort theory (negligence), to be successful, an aggrieved party would have to show that the party that failed to secure the supply chain owed a duty of care to them and that it was reasonably foreseeable that they or they would be prejudiced. Could someone who couldn’t get life-saving medicine at the local Eckards drug sue the operator of the boat that blocked the canal (even though the boat had no drugs on it?) Chain tort procurement is probably broader than contractual liability, but there are important limits to who can be sued and for what. This is important because responsibility – and potential liability – motivates action. If you are responsible for a supply chain failure, you will be spending resources to mitigate that risk. If not, you might not.
Get it in writing
In the short term, the most effective way to mitigate supply chain security is to (1) identify your supply chain for products and services; (2) identify the risks associated with those vendors or suppliers on this supply chain and (3) require those in the supply chain to take reasonable steps to both mitigate their risks and identify and mitigate the risks associated with their supply chains. It’s a never-ending game of pointing fingers.
In contracts, purchase orders, specifications or other legal arrangements with critical suppliers, you need to identify what you want them to do from a supply chain, security, availability and confidentiality; what standards you want them to adopt, how you want them to certify or audit compliance, and what consequences if they don’t comply. You also want to identify any regulatory requirements for supply chain or security that you expect them to comply with. In addition, you want them to “lower” these requirements on one of the their vendors or suppliers (or at least those essential to your process) and impose liability on your supplier if their the provider fails. It will also mean that your vendors and vendors will seek to impose the same standards on you and you must be prepared to meet these challenges.
With great power comes great responsibility. Supply chain security is monumentally difficult. In the short term, it is important for companies to identify critical dependencies in their supply chain and prepare for the resilience of those supply chains while imposing both duties and responsibilities on those they depend on. This will take time, energy and resources, as well as careful negotiation and drafting. Ultimately, however, it can be the difference between having or losing a business and having to cry over spilled milk.