Here’s how to respond to cyber supply chain risks

The prevalence of digital technologies in day-to-day business functions is primarily driven by the ever-increasing need to enhance efficiency and curb costs, but it simultaneously has spawned a multitude of cybersecurity risks for organisations irrespective of their size and industry vertical. With geopolitical tensions permeating the technology and digital space, risks to cyber supply chains have emerged as a pressing security issue warranting a multifaceted response.

Ensuring the trust and integrity of cyber supply chains is no more an industry concern solely, as governments are increasingly airing concerns over the dependence on foreign technology vendors, particularly in strategic sectors. International technical standards, national regulatory frameworks and organisational risk management practices are foundational to transparency and accountability in cyber supply chains, which are further reinforced by multilateral and multistake-holder initiatives.

Cyber or ICT supply chain security became part of various international technical standards devised for information security, risk management and integrity of commercial off-the-shelf (COTS) ICT products, essentially in the wake of ICT-related risks to the security and integrity of global supply chains. For instance, ISO/IEC 27001 encapsulates controls to ensure security in supplier relationships and ISO/IEC 20243 lays the requirements for security of global supply chains and integrity of COTS ICT products. Risk assessment and management standards ISO/IEC/IEEE 16085, ISO 28000, ISO 28001, and ISO 31000 are also relevant.

In view of the increasing risks to cyber supply chains, apex cybersecurity agencies in different jurisdictions have rolled out initiatives to augment preparedness. The National Institute of Standards and Technology (NIST) of the US, for instance, has a dedicated Cybersecurity Supply Chain Risk Management program to help organisations manage such risks. NIST Special Publication 800-161 provides guidance to US federal agencies on the implementation of risk management practices. The National Cyber Security Centre of the Government of UK has issued guidance comprising of 12 principles to aid organizations in establishing effective control and oversight on their supply chain. The Australian Cyber Security Centre also has a guidance in place to assist organizations in identifying risks in cyber supply chains. The European Union Agency for Cybersecurity has called for coordinated actions at the EU level and recommended organizations to manage cyber supply chain risk in its July 2021 report on supply chain attacks.

Supply chain security has also been part of the discussions on responsible State behaviour in cyberspace, better known as cyber norms. The 2013 consensus report of the UN Group of Governmental Experts (GGE) acknowledged the concerns of States emanating from compromised (with harmful hidden functions) ICT resources and laid the foundation of norms for supply chain security of ICT products and services. The report of the subsequent GGE in 2015 reiterated the norm prescribing States to ensure the integrity of the supply chain of ICT products and prevent the proliferation of “harmful hidden functions”. Expanding the understanding on the implementation of the norms agreed by GGE in 2015, the consensus report of the next GGE (adopted in May 2021) set forth few steps to ensure the integrity and security of the ICT supply chain. These include, inter alia, provisioning of national level frameworks and mechanisms; adoption of good practices and exchanges at the bilateral, regional, and multilateral levels; globally interoperable rules and standards; and inclusion of safety and security throughout the lifecycle of ICT products.

This multilateral exercise is further supplemented by some multi-stakeholder and private sector-led norm-making initiatives, which is essentially a testament of the central role of private sector in strengthening the security and integrity of cyber supply chains. Under the Cybersecurity Tech Accord more than 150 leading global companies have pledged to protect against tampering with technology products and services during their lifecycle. One of the eight norms proposed by the multi-stake-holder initiative Global Commission on the Stability of Cyberspace says that State and non-state actors should refrain from tempering with products and services in development and production. Propounded by Microsoft, Digital Geneva Convention endorses States’ commitment to refrain from inserting or requiring “backdoors” in commercial technology products. Initiated by Siemens in 2018, Charter of Trust mentions of responsibility to ensure security throughout the digital supply chain as one of the ten principles. One of the largest multi-stakeholder cybersecurity initiatives drawing support from governments, private sector, and civil society from all over the world, Paris Call for Trust and Security in Cyberspace advances strengthening the security of digital processes, products, and services throughout supply chain as one of the nine principles.

Since technology suppliers and users are scattered all over the world, an effective international response is rooted in close cooperation over shared and interoperable solutions among like-minded countries at the relevant multilateral and multi-stake-holder fora. A key element of such cooperation would be deliberating on the ways and means to operationalize the agreed upon norms relevant to supply chain security. Easier said than done, this would require placing the action items in the labyrinth of existing national responses to ICT/cyber supply chain security challenges. Moreover, bringing all the partners to a similar maturity level in terms of regulation and standardization would require significant effort on capacity-building front.
Cyber-attacks on the IT/ICT supply chain can potentially have adverse consequences for the digital economy, public safety, and national security at large. The imperatives of a collective response comprising of all the stakeholders have been underscored time and again to ensure trust in the IT/ICT products and services. In the Indian context, a task force comprising of a broad set of stakeholders and mandated to identify and develop short-and long-term risk management strategies for cyber supply chains critical to the national security will be a welcome step. An evidence-based approach by the task force would be pertinent to bring out the specific requirements of government intervention in enabling organizations to handle cyber supply chain risks effectively. Government and industry have a shared interest in the identification and mitigation of these risks, and from the same emanates the shared responsibility to act swiftly in the face of increasing sophistication and frequency of supply chain attacks. The stalwarts of the Indian IT industry with decades of experience in delivering credible software solutions and providing managed services are better placed to lead the way from industry’s end. Close alignment of goals and actions of public and private sectors directed at preparedness is more worthwhile than the one enforced after a crippling cyber incident.
Courtesy- https://www.businesstoday.in/opinion/columns/story/heres-how-to-respond-to-cyber-supply-chain-risks-331073-2022-04-25

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.