Forging Trust Within the Supply Chain
"[EU Commissioner Algirdas Semeta] recently said that in a globalized world, no country can secure the supply chain in isolation," said Cisco security strategist Edna Conway. "He recognized that ... national supply chains are ineffective and too costly unless they're supported by enhanced international cooperation."
Jul 30, 2012 5:00 AM PT
Let's examine the latest efforts to make global supply chains for technology providers more secure, verified, and therefore trusted. We'll examine the advancement of The Open Group Trusted Technology Forum (OTTF) to gain an update on the effort's achievements and to learn more about how technology suppliers and buyers can expect to benefit.
The expert panel consists of Dave Lounsbury, chief technical officer at The Open Group; Dan Reddy, senior consultant product manager in the Product Security Office at EMC; Andras Szakal, vice president and chief technology officer at IBM's U.S. Federal Group, and also the chair of the OTTF; and Edna Conway, chief security strategist for global supply chain at Cisco. The discussion is moderated by Dana Gardner, principal analyst at Interarbor Solutions.
Listen to the podcast (40:44 minutes).
Here are some excerpts:
DanaGardner: Why this is an important issue, and why is there a sense of urgency in the markets?
Dave Lounsbury: The Open Group has a vision of boundaryless information flow, and that necessarily involves interoperability. But interoperability doesn't have the effect that you want, unless you can also trust the information that you're getting, as it flows through the system.
Therefore, it's necessary that you be able to trust all of the links in the chain that you use to deliver your information. One thing that everybody who watches the news would acknowledge is that the threat landscape has changed. As systems become more and more interoperable, we get more and more attacks on the system.
As the value that flows through the system increases, there's a lot more interest in cybercrime. Unfortunately, in our world, there's now the issue of state-sponsored incursions in cyberspace, whether officially state-sponsored or not, but politically motivated ones certainly.
So there is an increasing awareness on the part of government and industry that we must protect the supply chain, both through increasing technical security measures, which are handled in lots of places, and in making sure that the vendors and consumers of components in the supply chain are using proper methodologies to make sure that there are no vulnerabilities in their components.
I'll note that the demand we're hearing is increasingly for work on standards in security. That's top of everybody's mind these days.
Dan Reddy: One of the things that we're addressing is the supply chain item that was part of the Comprehensive National Cybersecurity Initiative (CNCI), which spans the work of two presidents. Initiative 11 was to develop a multi-pronged approach to global supply chain risk management. That really started the conversation, especially in the federal government, as to how private industry and government should work together to address the risks there.
In the OTTF, we've tried create a clear measurable way to address supply-chain risk. It's been really hard to even talk about supply chain risk, because you have to start with getting a common agreement about what the supply chain is, and then talk about how to deal with risk by following best practices.
Andras Szakal: One of the observations that I've made over the last couple of years is that this group of individuals, who are now part of this standards forum, have grown in their ability to collaborate, define, and rise to the challenges, and work together to solve the problem.
Technology supply chain security and integrity are not necessarily a set of requirements or an initiative that has been taken on by the standards committee or standards groups up to this point. The people who are participating in this aren't your traditional IT standards gurus. They had to learn the standards process. They had to understand how to approach the standardization of best practices, which is how we approach solving this problem.
It's sharing information. It's opening up across the industry to share best practices on how to secure the supply chain and how to ensure its overall integrity. Our goal has been to develop a framework of best practices and then ultimately take those codified best practices and instantiate them into a standard, which we can then assess providers against. It's a big effort, but I think we're making tremendous progress.
Gardner: Because The Open Group Conference is taking place in Washington, D.C., what's the current perception in the U.S. Government about this in terms of its role?
Szakal: The government has always taken a prominent role, at least to help focus the attention of the industry.
Now that they've corralled the industry and they've got us moving in the right direction, in many ways, we've fought through many of the intricate, complex technology supply chain issues, and we're ahead of some of the thinking of folks outside of this group because the industry lives these challenges and understands the state of the art. Some of the best minds in the industry are focused on this, and we've applied some significant internal resources across our membership to work on this challenge.
So the government is very interested in it. We've had collaborations all the way from the White House across the Department of Defense (DoD) and within the Department of Homeland Security (DHS), and we have members from the government space in NASA and DoD.
It's very much a collaborative effort, and I'm hoping that it can continue to be so and be utilized as a standard that the government can point to, instead of coming up with their own policies and practices that may actually not work as well as those defined by the industry.
Edna Conway: Our colleagues on the public side of the public-private partnership that is addressing supply-chain integrity have recognized that we need to do it together.
More importantly, you need only to listen to a statement, which I know has often been quoted, but it's worth noting again from EU Commissioner Algirdas Semeta. He recently said that in a globalized world, no country can secure the supply chain in isolation. He recognized that, again quoting, national supply chains are ineffective and too costly unless they're supported by enhanced international cooperation.
The one thing that we bring to bear here is a mindful focus on the fact that we need a public-private partnership to address comprehensively in our information and communications technology industry supply chain integrity internationally. That has been very important in our focus. We want to be a one-stop shop of best practices that the world can look at, so that we continue to benefit from commercial technology which sells globally and frequently builds once or on a limited basis.
Combining that international focus and the public-private partnership is something that's really coming home to roost in everyone's minds right now, as we see security value migrating away from an end point and looking comprehensively at the product lifecycle or the global supply chain.
Lounsbury: I had the honor of testifying before the U.S. House Energy and Commerce Committee on Oversight Investigations, on the view from within the U.S. Government on IT security.
It was very gratifying to see that the government does recognize this problem. We had witnesses in from the DoD and Department of Energy (DoE). I was there because I was one of the two voices on industry that the government wants to tap into to get the industry's best practices into the government.
It was even more gratifying to see that the concerns that were raised in the hearings were exactly the ones that the OTTF is pursuing. How do you validate a long and complex global supply chain in the face of a very wide threat environment, recognizing that it can't be any single country? Also, it really does need to be not a process that you apply to a point, but something where you have a standard that raises the bar for our security for all the participants in your supply chain.
So it was really good to know that we were on track and that the government, and certainly the U.S. Government, as we've heard from Edna, the European governments, and I suspect all world governments are looking at exactly how to tap into this industry activity.
Gardner: Where we are in the progression of OTTF?
Lounsbury: In the last 18 months, there has been a tremendous amount of progress. The thing that I'll highlight is that early in 2012, the OTTF published a snapshot of the standard. A snapshot is what The Open Group uses to give a preview of what we expect the standards will apply. It has fleshed out two areas, one on tainted products and one on counterfeit products, the standards and best practices needed to secure a supply chain against those two vulnerabilities.
So that's out there. People can take a look at that document. Of course, we would welcome their feedback on it. We think other people have good answers too. Also, if they want to start using that as guidance for how they should shape their own practices, then that would be available to them.
That's the top development topic inside the OTTF itself. Of course, in parallel with that, we're continuing to engage in an outreach process and talking to government agencies that have a stake in securing the supply chain, whether it's part of government policy or other forms of steering the government to making sure they are making the right decisions. In terms of exactly where we are, I'll defer to Edna and Andras on the top priority in the group.