Cybersecurity concerns everyone – responsibility and education throughout the digital supply chain

27 Nov 2019 09:30h - 11:00h

Event report

[Read more session reports and updates from the 14th Internet Governance Forum]

This panel aimed to explore the digital security landscape that private businesses are facing today and map out what companies can do to mitigate cyber-risks. The moderator, Mr Daniel Brinkwerth (Charter of Trust, GPLUS), raised two key issues: the management of digital security risks in the global supply chain with building trust between business partners, and the role of education in digital security.

To set the scene of the discussion, Mr Laurent Bernat (Policy Analyst on Digital Security Policy, OECD) highlighted a soft law international instrument – the 2015 Recommendation on Digital Security Risk Management for Economic and Social Prosperity adopted by the Organisation for Economic Cooperation and Development (OECD) Council. Its main principles are shared responsibility, co-operation, and partnerships between stakeholders for the management of digital security risks. Bernat also noted that public policies of governments in this field are getting more mature. The OECD held the second annual Global Forum on Digital Security for Prosperity in London engaging in in-depth multistakeholder dialogue on digital security innovation. The organisation also has a working party on security in the digital economy that agreed to set up a multistakeholder informal expert advisory group to provide input on how to improve the digital security of products, and how to encourage responsible management and disclosure of vulnerabilities.

The Charter of Trust – an initiative launched at the Munich Security Conference in 2017 jointly by Siemens and IBM – became a baseline for the discussion. Mr Stefan Saatman (Global Policy Co-ordinator Siemens AG) shared the first results of the two-year co-operation between 16 participants of the charter:

  1. They have scaled the supply-chain security and harmonisation as they integrate cybersecurity in daily business and education.
  2. They have agreed upon 17 baseline requirements as the foundation of the supply-chain security. These baseline requirements serve on eight different categories: data protection, security policies, incident response, site security (physical layer), access intervention, transfer separation, integrity and availability, support, and training.
  3. They have established verification methods that build upon internationally recognised standards: self-declaration, self-assessment, and documented proof.

For example, Siemens is already rolling out those 17 baseline requirements to its suppliers and partners – they need to comply with them in order to work with Siemens. Saatman noted that the company not only demands compliance, but also helps with requirements adoption.

Another component is the assessment of suppliers. Mr Jacques Kruse-Brandao (Global Head of Advocacy at SGS) said that a third party should verify whether certain security features have been implemented. For instance, this can be done through comprehensive questionnaires that may consist of up to 800 questions. The third party certifies, or at least tests and evaluates, that the implementation has been done properly.

The fulfilment of the baseline security requirements should be in the interest of every supplier, said Mr Jochen Friedrich (Technical Relations Executive at IBM). If a supplier cannot meet them, then it should look for practical advice and support in international standards.

The moderator touched upon the problem of non-compliant Internet of Things (IoT) devices. Friederich said that there should be tough checks and a clear market pressure not to use them. This, in turn, requires a high level of education and transparency. Staatman pushed for the security by design approach. From the OECD perspective, however, there are still debates on how to treat IoT devices, since in addition to physical safety certification, they have digital components that are probably not in the competence of the product safety regulators.

Finally, the panel discussed the educational component and the role of basic cyber-hygiene. Mr Alexander Wolf (Division Business Assurance at TÜV SÜD AG) said it should be a part of everyone’s DNA. He noted that companies should pay attention to the lowest level in their organisational hierarchy and enable people to have their own judgement on what is their exposure to cyber-risks. Basic cyber education is the task for both governments and industry, pointed Bernat. Ultimately, there is an emerging gap of cybersecurity experts, said Staatman. In addition to general level training, there should be a structured approach – companies should concentrate on particular cybersecurity needs and encourage people to undertake training courses. Kruse-Brandao added that universities release an insufficient number of specialists, so the curriculum and admissions priorities may be revised to meet current challenges.

By Ilona Stadnik