It’s time for real progress on ICT supply chain security

by Andy Purdy Jr., Chief Security Officer, Huawei Technologies USA 

Substantial progress is needed to protect global supply chains against cyber threats. Organisations need to implement plans to address the danger

Information and communications technology (ICT), digitisation and connecting people and companies have all changed lives for the better. However, the increasing number, sophistication and seriousness of successful cyber attacks, and a supply chain that is hard to see and even harder to protect, demonstrate that networks and systems are far too vulnerable to attack by a range of malicious actors.

The major elements of society – government, critical infrastructure, major private companies and the citizenry – are increasingly dependent on ICT for the running of their daily lives and business operations, national security, economic wellbeing, public safety and law enforcement, as well as for the safety, integrity and privacy of corporate and individual data.

The combination of threats, vulnerabilities and significant potential consequences leads to only one conclusion – supply chain risk must be addressed. Admittedly, there are intensified efforts to address cyber security threats generally, and there are pockets of activity in the world where progress is being made, but organisations globally are paying insufficient attention to risks from suppliers.

ICT supply chain risk is particularly daunting as the global supply chain for a product
can involve scores or even hundreds of components from a like number of companies
operating in multiple countries. An overarching concern with supply chain risk is that malicious actors will insert unauthorised code in authentic or counterfeit products or components that can initiate a wide range of potential attacks to disrupt or degrade services of government, critical infrastructure and private organisations, steal or corrupt private or otherwise critical data, or inflict physical damage. Given the nature and magnitude of the challenge, supply chain risk management is not just about ensuring that products and services will be there when needed, it is also about the criticality of taking a product lifecycle approach to risk – from concept to end-of-life – in order to ensure that products do only what they are supposed to do and nothing more.

Driving toward common standards

Fortunately, key cyber stakeholders in government and the private sector are becoming increasingly aware of supply chain risk and of their responsibility to move beyond sometimes impassioned debate about cyber security threats to make real progress toward addressing supply chain risk in a collaborative, cooperative manner. Stakeholders must drive toward collective agreement on laws, norms of conduct, standards and best practices for suppliers and vendors, as well as toward independent verification mechanisms, with an effort to educate and organise ICT buyers to leverage their purchasing power with the goal of encouraging the availability of more secure products.

Organisations cannot effectively address supply chain risk in isolation. However well intentioned, such an approach is likely to suffer the same fate as those who try to fasten security to a product late in the production schedule, rather than building it in at the concept phase and integrating it throughout production. To be truly serious and effective in addressing supply chain or any other risk, it must be part of an organisation-wide approach to risk. The successful management of risk requires an organisation to do the following:

• Articulate an organisational commitment to address security and privacy risk as part of a risk management or quality program;

• Establish and enforce an internal governance mechanism led by the organisation’s top leadership;

• Identify and incentivize specific security requirements and baselines (the mandatory minimum set-off rules, policies and standards) across all areas of the organisation;

• Implement robust and auditable verification and compliance mechanisms;

• Incorporate security into the goals and metrics of departments and business groups, as well as into the performance metrics of business units and individuals, in order to provide incentives and facilitate accountability.

Companies must understand the risk

To address supply chain risk, an organisation must have an understanding of its overall cyber security risk and implement a plan to address it. An example is the Cyber Security Framework developed by the US standards body, NIST. This framework is a tool that can help organisations understand their risk and chart a path to a more appropriate and sustainable risk posture.

Once aware of supply chain risk, many organisations struggle with what to do about it. Fortunately there are encouraging initiatives that can be considered to inform action, such as the SAFECode framework to assess the development processes of providers; the Underwriters Laboratory Cybersecurity Assurance Program; Europe’s ENISA report on supply chain integrity; the EastWest Institute cyber initiative to promote the availability and use of more secure products and services; in the UK, the government’s initiative to facilitate the evaluation of suppliers and the Trustworthy Software Initiative to promote trustworthy software using a compendium of standards and best practices; Japan’s efforts to implement a strategy on supply chain risk; and, in the US, the government’s procurement requirements and private sector initiatives in the energy, defence and financial sectors to address supply chain risk.

Huawei has taken an approach to addressing supply chain risk that is part of its end-to-end, global assurance program and has shared details publicly to invite feedback while encouraging and facilitating a broader dialogue among customers and stakeholders. For Huawei, supply chain risk falls under the purview of the Global Cyber Security and User Privacy Protection Committee (GSPC), Huawei’s top-level cyber security and privacy management body led by a Deputy Chairman. The supply chain is one of the business processes incorporated into security assurance, which also include R&D, sales and marketing, delivery, technical services and all areas that require security consideration – from laws to HR.

As part of the effort to address supply chain risk, Huawei has established a comprehensive supplier management system through which Huawei qualifies suppliers based on the supplier’s systems, processes and products, selects suppliers that can contribute to the quality and security of the products and services procured by Huawei, and continuously monitors and regularly evaluates the delivery performance of qualified suppliers.

One significant tool that allows organisations to address supply chain risk – whether as a provider or buyer of ICT – is the Open Trusted Technology Provider Standard (O-TTPS), recently recognised by the International Standards Organiza- on (ISO). Developed by the Open Trusted Technology Forum, the standard identifies and categorises technology industry best practices for secure engineering and supply chain integrity, the systematic use of which can make a vendor’s products more secure and trustworthy in the eyes of commercial or governmental enterprise customers. Accreditation to the standard is only granted after an independent third-party evaluator confirms it is warranted. The O-TTPS can help meet the need of ICT suppliers and buyers for greater clarity than they get from multiple standards, while affecting what they develop and how, as well as what they purchase and why.

Holding organisations accountable

Finally, more attention must be given to how to motivate organisations, which understand supply chain risk and have an idea of what they should do about it, to take necessary action and to be held accountable if they fall short. It is apparent that too few organisations do what is necessary to markedly reduce risk in the absence of business drivers to do so, and to hold them accountable should they fail.

It is incumbent upon governments and private organisations to collaborate more actively in driving agreement on standards, best practices, and norms of conduct, and to develop and implement motivators and incentives – such as the use of security requirements in purchasing – for driving substantial progress to reduce global supply chain risk. It is heartening to see encouraging initiatives and some new tools for understanding and addressing supply chain risk, but the problem is too important for the world to be satisfied with such slow progress.

 

This blog first appeared as an article in The Security Times, a special edition of The Atlantic Times monthly newspaper, prepared for the 52nd Munich Security Conference held from 12 to 14 February 2016.

About Andy Purdy Jr.

Andy Purdy Jr. has been the Chief Security Officer (CSO) at Huawei Technologies in the USA since July 2012. Before joining Huawei, he was co-director of the International Cyber Center at the George Mason University in Fairfax, Virginia, which he continues to advise.

He was previously chief cyber security strategist at CSC, the global technology-enabled business solutions provider, and a member of the Advisory Board of Lancope, Inc., a leading provider of network visibility and security intelligence to protect networks against today’s top threats.

Mr. Purdy has also worked at the US Government’s Department of Homeland Security, where he was director of the National Cyber Security Division between 2004 and 2006, and as an attorney at the US Department of Justice.