Annual Computer Security Applications Conference (ACSAC) 2023

Beyond the XBOM: A Holistic Approach to Cyber Supply Chain Risk

ABSTRACT: Business depends on relationships, which require trust, but is is not transitive. How do you "trust but verify" second and tiers of relationships? In security, we are focused on how technology functions - or malfunctions, becomes dysfunctional, or gets misfunctioned. We need to start thinking about manufacturing and production, and not just function: where the tech comes from, who makes the tech, and how the tech is made. Both industry and government are focused on software supply chain security (i.e., SBOMs), and separately, supply chains of critical technologies, e.g., semiconductors, however, we need an integrated approach to thinking about all the aspects related to technology, and therefore security. This talk goes beyond the XBOM (software, hardware, and firmware) to synthesize supply chain security issues related to supplier bases, geopolitical risk and national security, and technology ecosystems. Cyber risk is a type of supply chain risk; adversaries attack through *and* to the supply chain.

BIO: Munish Walther-Puri (he/him) is the VP of Cyber Risk at Exiger, where he focuses on supply chain and cyber risk. He is the former Director of Cyber Risk for New York City Cyber Command. He also teaches on cyber resiliency and cybersecurity at NYU Center for Global Affairs and Columbia SIPA. Prior to working for the City of New York, he worked at a dark web monitoring company, advised startups, and consulted on technology, geopolitical risk, and intelligence analysis. Munish is a CFR member, Cyversity board member, and Fletcher Political Risk Group advisor. He is an ally for the #ShareTheMicInCyber campaign and an Eagle Scout.

Munish Walther-Puri