Supply chain cyber security

Supply chain cyber security refers to efforts to enhance cyber security within the supply chain. It is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the advanced persistent threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

The acting deputy undersecretary for the National Protection and Programs Directorate for the United States Department of Homeland Security, Greg Schaffer, said at a hearing that he is aware that there are instances where malware has been found on imported electronic and computer devices sold within the United States. [1]

Examples of supply chain cyber security threats

  • Network or computer hardware that is delivered with malware installed on it already.
  • Malware that is inserted into software or hardware (by various means)
  • Vulnerabilities in software applications and networks within the supply chain that are discovered by malicious hackers
  • Counterfeit computer hardware
  • Diplomacy: The strategy sets out to “promote an open, interoperable, secure and reliable information and communication infrastructure” by establishing norms of acceptable state behavior built through consensus among nations.
  • Development: Through this strategy the government seeks to “facilitate cybersecurity capacity-building abroad, bilaterally and through multilateral organizations.” The objective is to protect the global IT infrastructure and to build closer international partnerships to sustain open and secure networks.
  • Defense: The strategy calls out that the government “will ensure that the risks associated with attacking or exploiting our networks vastly outweigh the potential benefits” and calls for all nations to investigate, apprehend and prosecute criminals and non-state actors who intrude and disrupt network systems.
  • Russia: Russia has had non-disclosed functionality certification requirements for several years and has recently initiated the National Software Platform effort based on open-source software. This reflects the apparent desire for national autonomy, reducing dependence on foreign suppliers.
  • India: Recognition of supply chain risk in its draft National Cybersecurity Strategy. Rather than targeting specific products for exclusion, it is considering Indigenous Innovation policies, giving preferences to domestic ITC suppliers in order to create a robust, globally competitive national presence in the sector.
  • China: Deriving from goals in the 11th Five Year Plan (2006–2010), China introduced and pursued a mix of security-focused and aggressive Indigenous Innovation policies. China is requiring an indigenous innovation product catalog be used for its government procurement and implementing a Multi-level Protection Scheme (MLPS) which requires (among other things) product developers and manufacturers to be Chinese citizens or legal persons, and product core technology and key components must have independent Chinese or indigenous intellectual property rights.

Other references

gollark: My THING is not WORKING!
gollark: This is so apioformic, it should let me apiobind to `[ff02::aeae]:44718`!
gollark: Apparently my apiosocket won't apiobind?
gollark: `Error: Invalid argument (os error 22)`what a helpful error.
gollark: Based on some multicast IP allocations, it looks like some random person already had the multicast chat idea. Interesting.

See also

References

  1. "Homeland Security: Devices, Components Coming In With Malware". InformationWeek. 2011-07-11. Retrieved 2011-09-16.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.