• United States



Protecting the Supply Chain: The CSO Rides Shotgun

Aug 08, 20114 mins
Business ContinuityData and Information SecurityPhysical Security

abstract background light blue
Credit: Illus_man/Shutterstock

The term "riding shotgun" is shorthand for "I'm riding up front" and while the practice of sitting up by the driver with a weapon to guard the horse-drawn stagecoaches of the Wild West is well documented, it appears that the actual term emerged somewhat later.

Back then, they must have had another name. Perhaps this much-loved (by drivers and passengers) guard was called the CSO (Chief Shotgun Operator), since he was responsible for risk mitigation on those coach rides and making sure passengers and freight made it to the destination as expected.

The CSO of today might feel a bit like they are still in the Wild Wild West, with potential threats lurking everywhere along the trail, especially when considering the challenges of enforcing cyber supply chain security.

While CSOs, CIOs and others in IT are no strangers to the threats to risk management for threats of all kinds, IT professionals tasked with protection of resources that might be part of national critical infrastructure have been bringing more focus to the issue of cyber supply chain integrity and risk. 

From a formal standpoint, the University of Maryland Cybersecurity Center provides this definition:

"The cyber supply chain can be described as the mass of IT systems--hardware, software, public, and classified networks-that together enable the uninterrupted operations of government agencies, companies, and international organizations. Attacks on the cyber supply chain can include malware inserted into software or hardware, vulnerabilities found by hackers, as well as compromised systems that are unwittingly brought in house. Tackling the problem of cyber supply chain protection requires new levels of collaboration among security, IT, and supply chain managers, taking into account the roles of developers, vendors, customers, and users."

From an informal standpoint, there's the case of the Trojan Mouse. Asked to test a company's security without relying on e-mail or other traditional malware venues, NetraGard gutted a Logitech USB mouse, and stuffed it with its own circuit board. The team learned, from a social networking site, which antivirus software the company was using, and then wrote code to circumvent it. The next step was to get the mouse inside the company. Taking a page from the ancient Greeks who presented Troy with the gift of a wooden horse bearing hidden warriors, NetraGard repackaged the mouse and sent it to an employee as a modern day gift: A promotional item . . . bearing hidden code.

The take-home lesson, apart from the continuing relevancy of Greek mythology to modern society (beware of marketers bearing mice), is that when considering cyber supply chain security, the threats can come from just about anywhere, making the job of the CSO and other key players all the more challenging. While administrators building critical infrastructure may be more concerned that a typical CSO, as we rethink the cyber threat, and must be concerned about cyber espionage, it might be prudent to update our thinking to include cyber supply chain issues in our risk management processes.

The good news is that the cyber supply chain isn't as chaotic as the Wild Wild West (companies, and countries, realize that to place a backdoor into every product they shipped would be to invite detection, which would mark the fiscal end to any such company as the market en mass reacted). But it does mean that companies large and small (and countries large and small) will need to develop new ways of ensuring transparency, trust, and security in their cyber supply chain. Expect IT to play a major role in this. In short, every organization is going to want a guard riding shotgun, and who better than the CSO?

NOTE: This article is cross-posted to the Microsoft Security Blog.

Jeff Jones is a 24-year security industry professional that has spent the last several years at Microsoft helping drive security and privacy progress as part of the Trustworthy Computing group. In this role, Jeff draws upon his security experience to work with enterprise CSOs and Microsoft's internal security teams to drive practical and measurable security improvements into Microsoft process and products. Prior to Microsoft, Jeff was the vice president of product management for security products at Network Associates where his responsibilities included PGP, Gauntlet and Cybercop products, and several improvements in the McAfee product line. These latest positions cap a career focused on security, managing risk, building custom firewalls and being involved in Darpa security research projects while part of Trusted Information Systems. Jeff is a frequent global speaker and writer on security topics ranging from the very technical to more high level, CxO-focused topics such as Security TCO and metrics. Jeff is also a contributor the Microsoft Security Blog ( and writes on a wide range of personal interests (e.g. books, poker, gaming) at