The prevalence of digital technologies in day-to-day business functions is primarily driven by the ever-increasing need to enhance efficiency and curb costs, but it simultaneously has spawned a multitude of cybersecurity risks for organisations irrespective of their size and industry vertical. With geopolitical tensions permeating the technology and digital space, risks to cyber supply chains have emerged as a pressing security issue warranting a multifaceted response.
Ensuring the trust and integrity of cyber supply chains is no more an industry concern solely, as governments are increasingly airing concerns over the dependence on foreign technology vendors, particularly in strategic sectors. International technical standards, national regulatory frameworks and organisational risk management practices are foundational to transparency and accountability in cyber supply chains, which are further reinforced by multilateral and multistake-holder initiatives.
Cyber or ICT supply chain security became part of various international technical standards devised for information security, risk management and integrity of commercial off-the-shelf (COTS) ICT products, essentially in the wake of ICT-related risks to the security and integrity of global supply chains. For instance, ISO/IEC 27001 encapsulates controls to ensure security in supplier relationships and ISO/IEC 20243 lays the requirements for security of global supply chains and integrity of COTS ICT products. Risk assessment and management standards ISO/IEC/IEEE 16085, ISO 28000, ISO 28001, and ISO 31000 are also relevant.
In view of the increasing risks to cyber supply chains, apex cybersecurity agencies in different jurisdictions have rolled out initiatives to augment preparedness. The National Institute of Standards and Technology (NIST) of the US, for instance, has a dedicated Cybersecurity Supply Chain Risk Management program to help organisations manage such risks. NIST Special Publication 800-161 provides guidance to US federal agencies on the implementation of risk management practices. The National Cyber Security Centre of the Government of UK has issued guidance comprising of 12 principles to aid organizations in establishing effective control and oversight on their supply chain. The Australian Cyber Security Centre also has a guidance in place to assist organizations in identifying risks in cyber supply chains. The European Union Agency for Cybersecurity has called for coordinated actions at the EU level and recommended organizations to manage cyber supply chain risk in its July 2021 report on supply chain attacks.
Supply chain security has also been part of the discussions on responsible State behaviour in cyberspace, better known as cyber norms. The 2013 consensus report of the UN Group of Governmental Experts (GGE) acknowledged the concerns of States emanating from compromised (with harmful hidden functions) ICT resources and laid the foundation of norms for supply chain security of ICT products and services. The report of the subsequent GGE in 2015 reiterated the norm prescribing States to ensure the integrity of the supply chain of ICT products and prevent the proliferation of “harmful hidden functions”. Expanding the understanding on the implementation of the norms agreed by GGE in 2015, the consensus report of the next GGE (adopted in May 2021) set forth few steps to ensure the integrity and security of the ICT supply chain. These include, inter alia, provisioning of national level frameworks and mechanisms; adoption of good practices and exchanges at the bilateral, regional, and multilateral levels; globally interoperable rules and standards; and inclusion of safety and security throughout the lifecycle of ICT products.
This multilateral exercise is further supplemented by some multi-stakeholder and private sector-led norm-making initiatives, which is essentially a testament of the central role of private sector in strengthening the security and integrity of cyber supply chains. Under the Cybersecurity Tech Accord more than 150 leading global companies have pledged to protect against tampering with technology products and services during their lifecycle. One of the eight norms proposed by the multi-stake-holder initiative Global Commission on the Stability of Cyberspace says that State and non-state actors should refrain from tempering with products and services in development and production. Propounded by Microsoft, Digital Geneva Convention endorses States’ commitment to refrain from inserting or requiring “backdoors” in commercial technology products. Initiated by Siemens in 2018, Charter of Trust mentions of responsibility to ensure security throughout the digital supply chain as one of the ten principles. One of the largest multi-stakeholder cybersecurity initiatives drawing support from governments, private sector, and civil society from all over the world, Paris Call for Trust and Security in Cyberspace advances strengthening the security of digital processes, products, and services throughout supply chain as one of the nine principles.