Supply chain cyber security
Supply chain cyber security refers to efforts to enhance cyber security within the supply chain. It is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the advanced persistent threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.
The acting deputy undersecretary for the National Protection and Programs Directorate for the United States Department of Homeland Security, Greg Schaffer, said at a hearing that he is aware that there are instances where malware has been found on imported electronic and computer devices sold within the United States. [1]
Examples of supply chain cyber security threats
- Network or computer hardware that is delivered with malware installed on it already.
- Malware that is inserted into software or hardware (by various means)
- Vulnerabilities in software applications and networks within the supply chain that are discovered by malicious hackers
- Counterfeit computer hardware
Related U.S. government efforts
- Comprehensive National Cyber Initiative
- Defense Procurement Regulations: Noted in section 806 of the National Defense Authorization Act
- International Strategy for Cyberspace: White House lays out for the first time the U.S.’s vision for a secure and open Internet. The strategy outlines three main themes: diplomacy, development and defense.
- Diplomacy: The strategy sets out to “promote an open, interoperable, secure and reliable information and communication infrastructure” by establishing norms of acceptable state behavior built through consensus among nations.
- Development: Through this strategy the government seeks to “facilitate cybersecurity capacity-building abroad, bilaterally and through multilateral organizations.” The objective is to protect the global IT infrastructure and to build closer international partnerships to sustain open and secure networks.
- Defense: The strategy calls out that the government “will ensure that the risks associated with attacking or exploiting our networks vastly outweigh the potential benefits” and calls for all nations to investigate, apprehend and prosecute criminals and non-state actors who intrude and disrupt network systems.
Related government efforts around the world
- Russia: Russia has had non-disclosed functionality certification requirements for several years and has recently initiated the National Software Platform effort based on open-source software. This reflects the apparent desire for national autonomy, reducing dependence on foreign suppliers.
- India: Recognition of supply chain risk in its draft National Cybersecurity Strategy. Rather than targeting specific products for exclusion, it is considering Indigenous Innovation policies, giving preferences to domestic ITC suppliers in order to create a robust, globally competitive national presence in the sector.
- China: Deriving from goals in the 11th Five Year Plan (2006–2010), China introduced and pursued a mix of security-focused and aggressive Indigenous Innovation policies. China is requiring an indigenous innovation product catalog be used for its government procurement and implementing a Multi-level Protection Scheme (MLPS) which requires (among other things) product developers and manufacturers to be Chinese citizens or legal persons, and product core technology and key components must have independent Chinese or indigenous intellectual property rights.
Other references
- Financial Sector Information Sharing and Analysis Center
- International Strategy for Cyberspace (from the White House)
- NSTIC
- SafeCode Whitepaper
- Trusted Technology Forum and the Open Trusted Technology Provider Standard (O-TTPS)
- Cyber Supply Chain Security Solution
- Malware Implants in Firmware
- Supply Chain in the Software Era
- INFORMATION AND COMMUNICATIONS TECHNOLOGY SUPPLY CHAIN RISK MANAGEMENT TASK FORCE: INTERIM REPORT
See also
- Supply chain
- Supply chain risk management
- Supply chain security
- ISO/PAS 28000
- NIST
- Trustworthy computing
References
- "Homeland Security: Devices, Components Coming In With Malware". InformationWeek. 2011-07-11. Retrieved 2011-09-16.