Beyond Compliance: Securing the Supply Chain Against Subtle Cyber Threats

Original Broadcast on Innovation in Government on 4/29/25

Presented by Synack & Carahsoft

In the digital battlespace, the integrity of data is just as important as its confidentiality. Ed Zaleski, Director of Sales for DoD at Synack, brought this into sharp focus by highlighting how cybersecurity is intrinsically tied to operational readiness—especially in the maritime environment where even a misrouted shipment can compromise a mission.

Zaleski’s core concern is subtle data manipulation. Unlike high-profile breaches, these quiet intrusions can alter shipping destinations, inventory counts, or logistics entries without triggering immediate alarms. The consequences, however, can be devastating—disrupting the flow of parts and supplies critical to keeping ships and planes mission-ready. It’s the kind of vulnerability that falls through the cracks of traditional cybersecurity strategies.

He stressed that legacy systems, common across the Department of Defense (DoD), are especially vulnerable. Many were never designed with modern threat models in mind. Zaleski advocates a proactive, risk-based approach: stack-rank legacy systems based on cyber-readiness, prioritize those for modernization, and subject them to rigorous penetration testing—not just to check compliance boxes, but to uncover real threats.

Too often, the DoD and contractors alike focus heavily on compliance for Authority to Operate (ATO) but miss the underlying risk. Zaleski urges a dual focus: don’t just ask “Is this compliant?” but also “Is this secure?” That’s where Synack’s hybrid approach—blending automated tools with human-led penetration testing—comes into play. It’s not about speed alone, but combining scale with intelligence to uncover what traditional scans might miss.

The evolving risk landscape also includes the rise of AI. Zaleski warns that adversaries will use AI to accelerate their attacks. To keep pace, defenders must also embrace AI—especially in continuous testing environments where threats shift rapidly.

For all the talk about “zero trust,” Zaleski issues a challenge: how do you know your zero trust framework actually works? You can’t just assume. It must be tested—thoroughly and often. Confidence in supply chain integrity isn’t built on slogans; it’s built on constant, evidence-based evaluation.

Ultimately, Zaleski’s message is about shifting from passive defense to active assurance. In a world where supply chains are digital front lines, it’s not just about keeping adversaries out—it’s about proving they aren’t already in.

Key Takeaways:

• Subtle Data Manipulation is a Major Threat: Operational readiness can be compromised by minor changes to logistics data.

• Legacy Systems Need Risk-Based Testing: Don’t just check for compliance—prioritize systems based on cyber-readiness and test accordingly.

• Zero Trust Requires Proof: The only way to trust your defenses is to continuously test them with real-world attack scenarios.