I was listening to a CERT talk on supply chain issues recently. At some point the commentators said something to the effect that supply chain issues are getting attention because businesses must interact with vendors and suppliers. I imagine the commentator was addressing the increased complexity of products, the increased complexity of these business relationships, and the ever shrinking world we live in (which is also increasingly complex) and the perception these risks are on the rise as a result of these elements.

As someone who looks at supply chain issues on a regular basis, I don’t see a light at the end of the tunnel. Information exchange is probably one of the earliest forms of supply chain dynamics/threats. The animal nature to exploit advantages to maximize survivability and reproduction (success) is not limited to interactions in the physical realm, but includes access to information otherwise limited to others. Eventually, the barriers involved in compartmentalization of information break down; the systems once put in place to restrict information flow to maintain survival advantages (within a family, tribe, company, or nation) become the victim of entropy or the death of a thousand leaks. The information becomes commonplace and the value of that information decreases.

From an evolutionary standpoint, it’s probably safe to say the benefits of social exchange outweigh the risks. Social exchange has an element of Locard’s principle; something of each party is left behind. Each party, to the extent they are capable, becomes aware of the other’s strengths and weaknesses, many of which will not even be primary to the issue being discussed. On the other hand, much of this information could be ascertained through observation absent social interaction. Social exchange  affords the chance to misrepresent oneself while still reaping the reward from the exchange. Either way, information is transmitted, and may be ‘lost’ to another entity which is not entirely beneficial. With this in mind, each of us goes into the social contract, or really any interaction, with a degree of acceptable risk.

The increasing interconnectivity of the modern world seems to have a negative correlation to the window of time on which individuals can effectively exploit emerging relationships. Information cannot be effectively managed simply because there is too much of it to process. Although some might claim efforts to analyze “big data” allows for such, the effectiveness is limited by inputs, for some of which there are simply not any collection mechanisms. The human mind simply has not evolved beyond its hunter-gatherer roots; our minds are essentially tied to a world in which you might only meet tens of persons in a lifetime. Automated crunching of big data is a boon to interpreting an increasingly complex world with a limited ability to process information, but we are generally kept in a reactive state.

So what is industry to do in the face of the lightning speed of supply chain issues? No longer is it just an issue of where materials or sub-components come from, rather it is the source code development, the development of universal standards, the academic thought train, the emerging political realities, all interwoven and changing.

Obviously industry must continue to monitor and react to the relationships which affect their overall survivability, as do all animals, but getting beyond a purely reactive stance means more than that now. NIST and CERT both address the defensive mechanisms all industries should establish, but beyond that we are faced with the supernova of information which needs to be process to completely get in front of supply chain. That’s where we all need to focus, on determining what level of risk is acceptable, what level is manageable. Once those domains are established, looking one level beyond the traditional supply chain vectors becomes more digestible. We can and still should watch where the widgets come from, but now perhaps we also pay attention to the human climate those widgets come from.