Assurance and transparency in ICT supply chain security

Event report

Mr Andreas Kuehn (Senior Program Associate, EastWest Institute) provided the opening context for the discussion, highlighting the interconnectedness of the global supply chain and the heavy reliance that organisations place on third-party vendors and the critical role that ICT supply chain security plays in ensuring trust and confidence in the overall system.

Global ICT firms have invested heavily in mitigating third-party risks while some governments in the global South often do not have the resources and capacity to address these risks. Kuehn referred to a supply chain security report done in 2016 by the EastWest Institute that called for a level playing field based on international standards. The report highlights the constant struggle between national security and economic interests when trying to address supply chain security concerns. Dr Katherine Getao (Head, Kenyan Ministry of Information) spoke about the increasing involvement of nation-states in issues with the supply chain and the challenges posed for national security interests.

Trust and trustworthiness are two main issues addressed in the East West Institute report. With respect to trust, the measures implemented are designed to minimise the trust gap and establish an acceptable level of risk. Kuehn discussed the measures that are available to individual ICT buyers as part of their procurement processes; these measures include requiring vendors to adhere to international standards on security. Getao called for increased trustworthiness on the part of the technology suppliers and the great trust that even nations place in the suppliers as they consume technology.

Additionally, more can be done at the industry level; for example, an industry-wide software bill of materials could be effective. Ms Anastasiya Kazakova (Public Affairs Manager, Kaspersky), in an analysis of the threat model for a supply chain attack, highlighted the various zones of trust and security within a network from employees through external services supplied by vendors. Kazakova also addressed the multiplicity of components for software and the various jurisdictions that can contribute to the development of a final software module. Getao echoed the challenges in depending on technology with an interconnected supply chain for the production of the technology and raised the issue of sovereignty for nation states.

A third point that the EastWest Institute report addressed concerns ecosystem measures, including regional transparency. Kazakova mentioned the requirement to trust everyone as part of gaining value from the supply chain, while illustrating how an attack can be launched against a supply chain where the required trust is compromised due to the insertion of malicious intent via either a software or hardware measure.

Mr Philip Amann (Head of Strategy, Europol’s European Cybercrime Centre (EC3)) reports that in investigating cybercrimes and cross-border violations, Europol also is aware of the expanded attack surface that the supply chain provides and the challenges to secure systems beyond one’s perimeter. Arising from the current pandemic situation, a greater frequency of attacks in the IoT and education sector has occurred, and abuses of the software updating process have become more prevalent, where criminals insert ransomware through fake software patches.

Arman called for increased education of staff to mitigate threats. Dr Abdul Wahab Amirudin (CEO, CyberSecurity Malaysia) agreed with the requirement to educate and build capacity to reduce risk. He also raised the issue of increased collaboration that allows for protection of the weakest link. Cybersecurity is not purely a technical issue and requires policy support and awareness on the part of people. Mr Salah Baïna (Professor, National School of Computer Science and Systems Analysis (ENSIAS)) echoed concerns about the weakest link and highlighted the Moroccan approach of incorporating international standards to ensure Moroccan organisations were not operating as a weak link. This has been part of a significant nationwide push for greater ICT maturity in systems and policies. Amirudin also discussed community programs, raising the issues of cybersafety and security.

Finally, in questions, the panellists addressed dual use technologies and the requirement to find a balance between safety and security and privacy along with the rising issues of tech nationalism. Technical companies in themselves do not pose a risk outside of the human element. The requirement for increased certification and standards was raised as well; the need to have public/private partnerships to ensure a multifaceted approach to managing these issues was considered.