As the Director of The Open Group Trusted Technology Forum I am thrilled to be participating at ITU Telecom World 2016 in Bangkok, Thailand. In particular, I will be on a panel of subject matter experts to discuss the challenge of securing business enterprises and critical infrastructures and the potential steps that can be taken now to address these challenges – steps that can start us down the path of, as the ITU Telecom conference theme notes, “Better Sooner”.
This session: “No Trade Without Trust” to be held on Wednesday, November 16 from 16:45 PM – 18:00 PM will address ICT trust, innovation and trade.
In this blog, I provide some insight into these global challenges – from my perspective. There will be additional perspectives from the panelists and the attendees that will foster further discussion in this relevant session!
Information and communication technologies (ICT) and their supply chains depend upon complex and interrelated networks of suppliers across a wide range of global partners. Suppliers deliver hardware and software components to Original Design Manufacturers (ODMs) or Original Equipment Manufacturers (OEMs) who build products from the components, and in turn deliver products to customers directly or through a value-add reseller (who may add even more components) or to system integrators who integrate them with products from multiple providers at a customer site. This complexity leaves ample opportunity for malicious components with vulnerabilities that can potentially be exploited.
As a result, organizations now need assurances that they are buying from trusted technology providers who follow best practices every step of the way. This means that they not only follow secure development and engineering practices in-house while developing their own software and hardware pieces, but also that they are following best practices to secure their supply chains by requiring third parties who supply their components to also follow best practices for security. Modern cyber criminals continuously and exhaustively seek to identify any sort of vulnerability that can be exploited for malicious gain and the supply chain is no different.
One perspective I will bring to the discussion is the importance of assuring product integrity and the security of ICT global supply chains as a first line of defense to reduce the possibility that unauthorized functionality can be introduced into products and to mitigate vulnerabilities that can lead to maliciously tainted and counterfeit products. This first line of defense must not be ignored when considering how to prevent damage to critical infrastructure and the horrific consequences that can ensue.
The second perspective I will underscore is that many buyers do not know what to ask of, or require from, their providers to ensure they are building and delivering secure ICT. They need guidance on what that dialogue looks like, what questions buyers need to ask of their suppliers and what recommendations or demands they need to make in their acquisitions.
Finally, I will bring the perspective that building secure ICT products and securing global supply chains is both a technical and a global geo-political issue. And that addressing the technical perspective in a vendor-neutral and country-neutral manner can have a positive effect on diminishing the geo-political issues.
The technical perspective is driven by the simple fact that we are living in a global economy; most everything has a global supply chain – virtually nothing is built from just one company or in just one country. In order for products to have integrity and their supply chains to be secure, all constituents in the development of technology and the supply chain must follow best practices for security – both in-house and in their supply chains.
The related, but separate, geo-political perspective, driven by a desire to protect against malicious attackers and a lack of trust of/from nation-states, is pushing many countries to consider approaches that are disconcerting, to put it mildly. Unfortunately, because every country is extremely concerned (as they should be) about securing their critical infrastructures and their underlying supply chains, we are beginning to see attempts to address those concerns through local solutions (i.e., country-specific and disparate requirements that increase the cost burden on suppliers and can set up barriers to trade in the name of security).
In order to prevent that negative effect on trust and trade, it is essential that we advocate for common international approaches, which all countries can adopt, with the same risk-informed criteria for all providers, regardless of locale – thus raising all boats based on the tide of consistent international guidelines and global standards.
This is not to say that the risk for every environment or application for ICT is the same — the requirements for acquisition must also be based on risk analysis – but the more we can utilize international guidelines and standards to create a base level of solid security, the safer we all will be.
Of particular relevance are a few tools that are available now to help us achieve “Better, Sooner”, such as The EastWest Institute Buyers Guide Purchasing Secure ICT Products and Services: A Buyers Guide; The Open Trusted Technology Provider Standard – Mitigating Maliciously Tainted and Counterfeit Products (O-TTPS), approved by ISO as ISO/IEC 20243:2015; or the O-TTPS Certification/Accreditation Program, which is open to all ICT providers including ODMs, OEMs, component suppliers, and value-add resellers..
Again, these are only some of my perspectives – l can’t wait to hear other relevant perspectives from the panelists and the attendees at the “No trade without trust” session on Wednesday, November 16, 2016, 16:45 PM – 18:00 PM.