Login
Login

Digital supply chain security

Digital supply chain security refers to efforts to enhance cyber security within the supply chain. It is a subset of supply chain security and is focused on the management of cyber security requirements for information technology systems, software and networks, which are driven by threats such as cyber-terrorism, malware, data theft and the advanced persistent threat (APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors,{{cite book |last1=Mayounga |first1=Andre |title=Cyber-Supply Chain Visibility: A Grounded Theory of Cybersecurity with Supply Chain Management - ProQuest |date=May 2017 |url=https://www.proquest.com/openview/1c623efadef0122d52f6b4c275e49160/1?pq-origsite=gscholar&cbl=18750&diss=y |language=en}} disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take.

The acting deputy undersecretary for the National Protection and Programs Directorate for the United States Department of Homeland Security, Greg Schaffer, stated at a hearing that he is aware that there are instances where malware has been found on imported electronic and computer devices sold within the United States.

{{cite news

| url=http://informationweek.com/news/government/security/231001333

| title=Homeland Security: Devices, Components Coming In With Malware

| work=InformationWeek

| author=

| date=2011-07-11

| access-date=2011-09-16 }}

Examples of supply chain cyber security threats

  • Network or computer hardware that is delivered with malware installed on it already.
  • Malware that is inserted into software or hardware (by various means)
  • Vulnerabilities in software applications and networks within the supply chain that are discovered by malicious hackers
  • Counterfeit computer hardware

Related U.S. government efforts

  • [https://obamawhitehouse.archives.gov/cybersecurity/comprehensive-national-cybersecurity-initiative Comprehensive National Cyber Initiative]
  • Defense Procurement Regulations: Noted in section 806 of the National Defense Authorization Act
  • [https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf International Strategy for Cyberspace]: White House lays out for the first time the U.S.’s vision for a secure and open Internet. The strategy outlines three main themes: diplomacy, development and defense.

:* Diplomacy: The strategy sets out to “promote an open, interoperable, secure and reliable information and communication infrastructure” by establishing norms of acceptable state behavior built through consensus among nations.

:* Development: Through this strategy the government seeks to “facilitate cybersecurity capacity-building abroad, bilaterally and through multilateral organizations.” The objective is to protect the global IT infrastructure and to build closer international partnerships to sustain open and secure networks.

:* Defense: The strategy calls out that the government “will ensure that the risks associated with attacking or exploiting our networks vastly outweigh the potential benefits” and calls for all nations to investigate, apprehend and prosecute criminals and non-state actors who intrude and disrupt network systems.

Related government efforts around the world

  • Common Criteria offers with Evaluation Assurance Level(EAL) 4 an opportunity to evaluate all relevant aspects of the digital supply chain security like the product, the development environment, IT systems security, the processes in human resource, physical security and with the module ALC_FLR.3 (Systematic Flaw Remediation) also security update processes and methods even by physical site visits. EAL 4 is mutually recognized in countries that signed the SOGIS-MRA and up to ELA 2 in countries the signed the CCRA but including ALC_FRL.3.
  • Russia: Russia has had non-disclosed functionality certification requirements for several years and has recently initiated the National Software Platform effort based on open-source software. This reflects the apparent desire for national autonomy, reducing dependence on foreign suppliers.
  • India: Recognition of supply chain risk in its draft National Cybersecurity Strategy. Rather than targeting specific products for exclusion, it is considering Indigenous Innovation policies, giving preferences to domestic ITC suppliers in order to create a robust, globally competitive national presence in the sector.
  • China: Deriving from goals in the 11th Five Year Plan (2006–2010), China introduced and pursued a mix of security-focused and aggressive Indigenous Innovation policies. China is requiring an indigenous innovation product catalog be used for its government procurement and implementing a Multi-level Protection Scheme (MLPS) which requires (among other things) product developers and manufacturers to be Chinese citizens or legal persons, and product core technology and key components must have independent Chinese or indigenous intellectual property rights.{{cite web| url=https://www.bridewellconsulting.com/ |title= Bridewell Consulting }} Thursday, 22 April 2021

Private sector efforts

  • [https://github.com/slsa-framework/slsa SLSA (Supply-chain Levels for Software Artifacts)] is an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain. The requirements are inspired by Google’s internal "[https://cloud.google.com/security/binary-authorization-for-borg Binary Authorization for Borg]" that has been in use for the past 8+ years and that is mandatory for all of Google's production workloads. The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, consumers can make informed choices about the security posture of the software they consume.{{Cite web|title=Introducing SLSA, an End-to-End Framework for Supply Chain Integrity|url=https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html|access-date=2021-06-17|website=Google Online Security Blog|language=en}}

Other references

  • [http://www.fsisac.com/ Financial Sector Information Sharing and Analysis Center]
  • [https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/internationalstrategy_cyberspace.pdf International Strategy for Cyberspace] (from the White House)
  • [https://obamawhitehouse.archives.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf NSTIC]
  • [http://www.safecode.org/publications/SAFECode_Software_Integrity_Controls0610.pdf SafeCode Whitepaper] {{Webarchive|url=https://web.archive.org/web/20131021090219/http://www.safecode.org/publications/SAFECode_Software_Integrity_Controls0610.pdf |date=2013-10-21 }}
  • [https://www.opengroup.org/ttf/ Trusted Technology Forum and the Open Trusted Technology Provider Standard (O-TTPS)] {{Webarchive|url=https://web.archive.org/web/20120103161431/https://www.opengroup.org/ttf/ |date=2012-01-03 }}
  • [https://www.tophatsecurity.com/ddx/ Cyber Supply Chain Security Solution]
  • [https://www.csmonitor.com/World/Passcode/2016/0518/Flaws-in-networking-devices-highlight-tech-industry-s-quality-control-problem Malware Implants in Firmware]
  • [https://www.atlanticcouncil.org/in-depth-research-reports/issue-brief/supply-chain-in-the-software-era/ Supply Chain in the Software Era]
  • [https://www.cisa.gov/publication/ict-scrm-task-force-interim-report INFORMATION AND COMMUNICATIONS TECHNOLOGY SUPPLY CHAIN RISK MANAGEMENT TASK FORCE: INTERIM REPORT]

See also

References

{{reflist}}

{{DEFAULTSORT:Supply Chain Cyber Security}}

Category:Supply chain management

Category:Computer security