Government procurement can bolster the strength of local small businesses (SMBs), and provide an example for technology adoption in areas such as eInvoicing and electronic payments. Increasingly, though, experts are identifying government procurement as an instrumental component of promoting cybersecurity for the public and private sectors alike.
The latest report from The Kosciuszko Institute introduced a set of government procurement cybersecurity recommendations, the result of conversations and debate held at the recent European Cybersecurity Forum — CYBERSEC event. In its roundup of key takeaways, The Kosciuszko Institute's number-one conclusion was that "cybersecurity can and must be strengthened through public procurements."
With government procurement a process that merges both government and corporate data, public sector supply chains are facing heightened cybersecurity threats. In addition to urging government action to enhance cybersecurity (including the recommendation that the European Union (EU) public procurement directive should include a chapter on how to secure and safeguard public procurements), the report urges governments to introduce cybersecurity requirements in their IT procurement practices.
"It is strongly recommended that public sector and public procurement bodies talk more to their IT security agencies, and implement cybersecurity strategies through public procurements," the report stated.
The Department of Defense (DoD) is among several government agencies that have introduced measures to heighten scrutiny of their suppliers' supply chain security measures. Signifying just how imperative cybersecurity is to DoD procurement, the agency introduced security as the fourth "acquisition pillar," the other three being cost, schedule and performance.
Deputy Under Secretary of Defense for Intelligence Kari Bingen said in a statement that the initiative aims to "create incentives for [the] industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business."
Last year, Congress approved Section 881 of the 2019 National Defense Authorization Act, which enables the Secretary of Defense and the Secretaries of the Army, Navy and Air Force to decide not to work with certain government suppliers if the agency head determines the supply chain risk of working with that contractor is too high, and may pose a risk to national security, the law firm explained.
The importance of cybersecurity is not only related to the ability of government entities to protect government data. Indeed, with government procurement practices often an influence on the broader private sector, in areas like eInvoice adoption and shorter payment times, the focus on cybersecurity could have broader implications for how businesses, particularly small firms, prioritize their own cybersecurity.
Some experts have warned that government entities' focus on procurement cybersecurity could lead vendors, particularly small contractors, to lose out on business if their own cybersecurity and supply chain risk mitigation initiatives are subpar.
"In recent years cybersecurity has become a deciding factor in whether your firm wins or loses public sector tenders," stated Tracker Intelligence in recent analysis. "[SMBs] that fail to adjust to rising expectations around cybersecurity risk being left behind when it comes to public procurement opportunities."
Small businesses must make cybersecurity a priority if they are to collaborate with the government, but there is evidence that some government entities are not doing enough to safeguard themselves, either.
A report released last year from the U.K.'s Joint Committee on the National Security Strategy warned that the government's current approach to cybersecurity is "long on aspiration, but short on delivery." Reports at the time highlighted the National Health Service (NHS), hit by the infamous WannaCry attack in 2017, with subsequent research by the Financial Times (FT) finding that one-quarter of NHS trusts in England and Wales failed to allocate any money on cybersecurity training in 2018.
A study published last spring by the Department of Management and Engineering at Linköping University in Sweden revealed that the majority of cybersecurity incidents related to government procurement were preventable. Researchers identified key factors that emphasized the need for both internal and external cyberthreat analysis to mitigate the risk, particularly as separate analysis has shown that many cyber incidents are a result of "internal actions, and not external threats."