How an Inventory List Secured the Supply Chain of Operation Warp Speed

Operation Warp Speed astonished America with how quickly the vaccine was not only developed but deployed. This in part is due to the leadership of many individuals and the cooperation of public and private partnerships. One key area that the media seemed to miss, however, is the talented cybersecurity professionals who worked around the clock to make sure the COVID-19 vaccine supply chain was not hacked.

No matter your opinion about the vaccine itself, the fact is CISA did a phenomenal job with the security of the production process, and that’s something we could use more of in the Medical and Manufacturing industries.

CISA is the United States’ Cybersecurity and Infrastructure Security Agency. A task force was created within CISA during Operation Warp Speed to oversee the security of the vaccine development process. On that task force was Josh Corman, who is a senior advisor at CISA as well as the founder of IAmTheCavalry.org, a grassroots organization focused on the intersection of digital security, public safety, and human life. Corman understands the gravity of supply chain resilience, and that it cannot be accomplished without communication between all stakeholders.

As part of that communication, one of the first things you do when you take over a cybersecurity project is a detailed asset and vendor inventory. In the case of Operation Warp Speed, there were many vendors to catalog. And each vendor posed a potential security threat to the operation if they were somehow compromised.

A Verge article explains, “What worried Corman weren’t places like Pfizer and Moderna. Those big, name brand companies all employ in-house cybersecurity experts. He was worried about companies like the one making an mRNA ingredient: small, anonymous groups that made bits and pieces pivotal for vaccines, but that might not have ever thought they’d need to protect against a hacking campaign.”

Most often, these smaller companies are within the supply chain of the bigger companies and can be easily overlooked when conducting a vendor inventory.

“‘I asked, what are those smaller, less obvious players that, if they’re disrupted, means there’s no vaccine? And no one had an answer,’ Corman says.”

So Corman started a thorough inventory. “The list was dynamic — at the start of the process, it focused on groups involved in vaccine research and development. Then it shifted to companies working with the manufacturing and distribution of the shots. Overall, the group identified hundreds of companies involved in the process that could have been risks.”

Wow. What a great example of how an incomplete vendor inventory could have severely impacted the mission of Operation Warp Speed. One overlooked vendor with poor security could have shut down the operation completely if they were victim to a cyber attack.

Vendor inventories are a critical action every Idaho business should be completing and updating regularly with their IT team. This is especially true for Medical Facilities and Manufacturers, who deal with dozens to hundreds of vendors (and tertiarily, their vendors). Why spend the time and money to secure your environment if you are using a vendor that it below the cybersecurity poverty line? It doesn’t make sense.

Know your vendors’ security posture, and what they are doing to protect YOU in their practices. This is something you have the right to know and should know – especially if you want to be approved for cyber insurance.