Sarbari Gupta Of Electrosoft Services On What We Must Do To Create Nationally Secure And Resilient Supply Chains

An Interview With David Leichner

Identify multiple sources of critical supply chain elements so as not to have overdependence on a single source.

The cascading logistical problems caused by the pandemic and the war in Eastern Europe, have made securing a reliable supply chain a national imperative. In addition, severe cyberattacks like the highly publicized Colonial pipeline attack, have brought supply chain cybersecurity into the limelight. So, what must manufacturers and policymakers do to ensure that we have secure and resilient supply chains? In this interview series, we are talking to business leaders who can share insights from their experiences about how we can address these challenges. As a part of this series, I had the pleasure of interviewing Sarbari Gupta.

Dr. Sarbari Gupta has been active in the information security industry for over 20 years, specializing in cybersecurity, digital identity and access management, and cloud security. She holds PhD, MS and BTech degrees in Electrical Engineering and CISSP and CISA certifications. Dr. Gupta, a frequent speaker at industry conferences on cybersecurity topics, has authored over 40 technical papers/presentations on leading-edge topics and holds four patents in areas of cryptography. She has co-authored several NIST Special Publications in the areas of Electronic Authentication (SP 800–63), Security Configuration Management (SP 800–128), and Mobile Credentials (SP 800–157). She has received many accolades, including Distinguished Alumnus Award from Indian Institute of Technology (Kharagpur); NOVA/PSC GovCon Executive of the Year (under $75M); FedHealthIT Women in Leadership Impact Award; U.S. Women’s Chamber of Commerce’s Stellar Award; Silver Stevie® Award for Female Executive of the Year; and the Washington Business Journal Minority Business Leader Award.

Dr. Gupta is the Founder and CEO of Electrosoft Services, Inc., a provider of technology-based services and solutions with a special focus on cybersecurity. Serving Government and commercial customers since 2001, Electrosoft holds ISO 9001, ISO/IEC 20000, ISO/IEC 27001 and CMMI Level 3 certifications.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born in India and grew up in an upper middle-class family of professionals (doctors, engineers, professors, scientists, and more). I enjoyed studying math and physics, so I opted to attend an engineering college. After graduation, I decided to come to the United States to pursue my graduate education.

Can you share the most interesting story that happened to you since you began your career?

When I came to the United States in the late 1980s, I intended to specialize in electrical communications engineering. However, in graduate school I was exposed to the world of computer security and cryptography. I was so fascinated by these studies that I decided to focus on computer and data security instead. I have never looked back. The Internet and World Wide Web have completely changed our world over the last three decades, yet as change progresses, the field only grows in relevance.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Three character traits that most helped me achieve positive results in my professional career are:

1. Believing — When I started Electrosoft Services, Inc. in 2001 from the basement of my house, I faced multiple challenges. Running a government contracting firm involved areas where I had little or no background, such as accounting, employee benefits, government contracting, facility security, sales, and more. Without the resources to hire subject-matter experts in these fields, I had to learn about these areas — and others — to address the challenges my start-up company faced in the early years. In so doing, I strengthened my “problem-solving muscles” and gained the creativity and confidence necessary to tackle the other, more difficult challenges that arose as our company grew.
2. Persistence — I am never afraid to work hard or keep trying when I set a goal. Our company tried (without success) to get into the SBA 8(a) program for many years. Recognizing such status was essential to continue growth, we persisted. Our perseverance finally led to acceptance into the program in 2015.
3. Caring — Since starting Electrosoft, two priorities have shaped our evolution into an award-winning federal IT and professional services firm. Our highest priority is to take care of our customers and do our best to keep them happy. That focus — and the value system that propels it — has enabled us to make the right decisions at critical times, paving the way for the long-term stability and success our company enjoys. We realized early on that an essential component of customer care lies in happy employees who feel Electrosoft addresses their needs. We therefore focus on work-life balance and other contributors to employee satisfaction.

Are you working on any exciting new projects now? How do you think that will help people?

Cybersecurity and identity management are core areas of our firm’s technical focus. There are quite a few exciting projects underway for our government customers. Two efforts within the public domain include:

• Helping to rewrite and update National Institute of Standards and Technology (NIST) Special Publication 800–63, the preeminent guideline used by federal agencies to authenticate users for online services and resource access. The updated guidelines will enable federal agencies to implement more user-friendly online services and reach a broader population while reducing the risk of online fraud.
• Operating a laboratory for the General Services Administration that tests the physical access control products used by federal agencies. Ultimately, the products we test and place on the GSA Approved Products List will ensure that only sufficiently authenticated and authorized individuals can enter controlled-access federal facilities and that bad actors will be identified and barred from unauthorized entry.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. What does the term “supply chain” encompass?

The term supply chain encompasses all the players (people, companies, networks) involved in building, delivering and operating a product or solution. In today’s world, supply chains for even simple products can span many individuals, companies and nations.

Can you help articulate what the weaknesses are in our current supply chain systems?

The biggest weaknesses in our current supply chain systems include:

• Lack of transparency and visibility into upstream links.
• Overdependence on one or more suppliers and lack of redundancy.
• Lack of methods and processes to ensure the quality and accountability of the supply chain’s intermediate elements.
• Failure to address cybersecurity issues of third-party vendor systems.

Can you help define what a nationally secure and resilient supply chain would look like?

I don’t believe it is possible to progress to a state where we have a “nationally secure and resilient supply chain.” However, the actions that can move us toward that goal include:

• Establishing and mandating methods that require suppliers of end products and solutions to provide a description of the full supply chain for their product or service, much like a Bill of Materials.
• Ensuring that all critical infrastructure sector organizations strengthen their acquisition processes to identify and vet multiple sources of the target product or service before selecting one. The vetting processes should incorporate strong supply chain requirements in addition to functional and IT security requirements.
• Implementing private or public sector services that maintain supply chain ratings for various suppliers and a list of supply chain vulnerabilities for products and services that are widely in use. Something like the NIST NVD (National Vulnerability Database) program but focused on supply chain issues would be a great start.
• Providing government incentives to industries that supply critical components of the products and solutions that support the nation’s critical infrastructure to set up manufacturing/development centers within the country. This program would alleviate overdependence on foreign nations for supply of such critical components.

My particular expertise is in cybersecurity so I’m particularly passionate about this topic. Can you share some examples of recent and notable cyber attacks against our supply chain? Why do you think these attacks were so significant?

Some examples include:

• 2013 Target Attack — This breach didn’t involve Target’s systems but rather exploited a third-party vendor’s system. Cybercriminals target third parties because typically their systems aren’t as secure as those of major companies. Significance: Companies need to remember that the systems of all third-party vendors in their supply chain must be as secure as their own because attackers will always seek the weakest link in the supply chain.
• 2020 SolarWinds Attack — A foreign threat actor infiltrated malware into the products update process so that the malware infiltrated the customer environments where the product was used. The malware persisted on the customer networks for many months before the attack was detected. Significance: Very stealthy attack; infiltrated many organizations since this is a popular product in use across the world.
• 2021 Kaseya Attack — Kaseya VSA is widely used by MSPs to manage client IT environments. A vulnerability in the VSA product was exploited to introduce REvil ransomware into VSA servers (implemented on-premise by MSPs) that were exposed to the Internet. As a result, the infected MSP VSA servers further infected the customer endpoints managed by the MSP. Significance: Vulnerability in widely used MSP software used to spread ransomware to large numbers of MSP client environments.
• 2021 Log4j attack — Log4j is an open-source utility used by millions of software applications. A flaw in this utility allowed remote code execution for applications that include this utility. Significance: Given the vast scope of impacted applications and the companies using them, it has been exceedingly difficult to identify and mitigate this risk even after identification of the attack.

What would you recommend for the government or for tech leaders to do to improve supply chain cybersecurity?

Top recommendations include:

• Implement mechanisms to track the various players in the supply chain through the full life cycle of a product.
• Promote technologies such as digital signatures and block chains to record attestations and status of products at various stages of the life cycle.
• Implement more testing and certification schemes for products that support critical infrastructures where failures can have devastating effects.
• Establish system security standards to which all supply chain parties must adhere.

Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Create Nationally Secure And Resilient Supply Chains” and why?

Five things to do:

1. Identify multiple sources of critical supply chain elements so as not to have overdependence on a single source.
2. Implement national policies that promote domestic manufacture and development of critical supply chain elements so as not to be dependent on foreign sources.
3. Implement mechanisms to track the various players in the supply chain through the full life cycle of a product.
4. Promote technologies such as digital signatures and block chains to record attestations and status of products at various stages of the life cycle.
5. Implement more testing and certification schemes for products that support critical infrastructures where failures can have devastating effects.

Are there other ideas or considerations that should encourage us to reimagine our supply chain?

Just like we appreciate food made from scratch, we should encourage society to value products made from scratch (or manufactured domestically) and be ready to pay a premium for them. This approach would discourage manufacturers from selecting lower cost components from a global supply chain.

You are a person of great influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Require every product to carry a label that includes all of the components used (like a food label) and the sources of the components.

How can our readers further follow your work online?

Some of the work done by our company is highlighted in Client Stories posted on our website at www.electrosoft-inc.com.

Our work can also be followed through our social media postings on LinkedIn and Twitter.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is the Chairman of the Friends of Israel and Member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.