Often in dangerous situations we initially look outwards and upwards for the greatest threats. Sometimes we should instead be looking inwards and downwards. Supply chain security in information and communication technology (ICT) is exactly one of those situations where detailed introspection could be of benefit to all concerned. The smallest security breach can have disastrous implications, irrespective of whether the attackers’ entry point is within one’s own system or within that of a supplier. ATM breaches, which can expose hundreds of millions of people’s personal information, are one example of how an attack can occur via a contractor.
My experience over the last fifteen or more years of cybersecurity policy work is that in a diverse, globalized and interconnected world, supply chains can pose a major cybersecurity threat if left unmanaged. Many products are built up from elements that are created and modified by different companies in different places. This is as true of software as it is of hardware. Global supply chains create opportunities for the introduction of counterfeit elements or malicious code. The problem is not concentrated in one region and the consequences can be global.
The situation not wholly new nor is it wholly unknown. From Microsoft’s perspective, based on our experience in the cyber supply chain risk management (C-SCRM) space and in line with our broad approach to all cybersecurity issues, the best approach to validating ICT products and components is risk-based. If I was to put forward basic elements of a supply chain risk management stance they would include:
- A clear understanding of the critical supply chain risks that need to be mitigated, which will require regular evaluation and adjustment as threats or technologies change;
- Principles and practices that take account of the lifecycle of threats whilst promoting transparency, accountability and trust between companies themselves and between companies and the authorities;
- An understanding that flexibility is critical, given i) vendors’ differing business models and markets, and ii) that seemingly simple changes in technology can rapid change threat models; and,
- A holistic approach to C-SRCM-based technical controls, operational controls, and vendor & personnel controls.
In addition to effective risk management, I can see a clear case for international standards in international supply chains. If we recognize that even the smallest weakness in a jurisdiction “over there” might be a way in for cyber criminals “over here”, international standards would be a common basis for judging whether or not a supply chain can be secure in its fundamentals.
Governments considering how to make their ICT supply chains more secure need to solicit industry feedback on their proposals. Indeed, I would argue that public-private partnerships to develop supply chain proposals are the best way to approach the issue. Both states and companies gain by cooperating in the fight against supply chain-led cyberattacks.
Microsoft depends on the trust our customers place in our products and as a multinational company, we understand the relevance of secure cross-border supply chains. So, even if C-SCRM is rarely the first thing considered when looking at cybersecurity, we will continue to make the case for a comprehensive and global approach to securing ICT supply chains that is risk-based, transparent, flexible and standards-led.