Assuring Acquired IT Wares Aren't TaintedTaking Steps to Mitigate Supply Chain Vulnerabilities
The potential of governments messing with commercial IT security products - think China and the National Security Agency (see NSA Reports Sullying Vendors' Standings?) - means organizations need to improve lines of communications to assure the integrity of the IT wares they purchase.
"The integrity of how your product has been made is of real concern," Information Security Forum's Steve Durbin says in an interview with Information Security Media Group [transcript below]. "How do you know that some of the application developers haven't put in backdoors? How can you test for that?"
To mitigate the risks, enterprises must collaborate early on to anticipate how their data and information will be held and secured across the supply chain. "It's about involving your legal guys; it's about involving your procurement folks; it's about conducting a solid risk assessment right at the outset," Durbin says.
Organizations that test for vulnerabilities without having those conversations and conducting that risk assessment early on regarding the supply chain will lose the benefits it originally offered.
"You're going to lose all of the cost benefits of actually outsourcing in the first place because you're going to have to go through every little line item of code," Durbin says.
In the interview, Durbin:
- Defines the supply chain and the threats it poses to IT security and privacy;
- Discusses the integrity of hardware and software acquired and used over the supply chain; and
- Suggests ways organizations can mitigate supply chain vulnerabilities, including being more diligent in wording contracts with providers.
Business growth strategist Durbin joined the forum in 2009 after a three-year stint as chairman of the DigiWorld Institute, a British think tank comprising telecommunications, media and IT leaders and regulators. Durbin also spent seven years at the IT advisory service Gartner, where he served as group vice president worldwide.
Global Supply Chain Threats
ERIC CHABROW: Define the global supply chain and why it can pose threats to individual organizations?
STEVE DURBIN: I struggle hard to find any organization today anywhere in the world that isn't connected in a cyber way with another enterprise, and this really for me is the foundation of the global supply chain. We can get into the way in which Apple, for instance, might design in California, make in China and sell in Europe. That for me is a very large supply chain. But the issues with the sharing of information with other organizations, with third-parties, for a whole variety of different reasons hits at the heart of it.
As we're seeing, this is giving rise to discussions around privacy, around personally identifiable information, over and above what we might normally have perhaps associated with supply chain and the sharing of designs and manufacturing-based information. It's an area that has taken off this year in particular, where a number of organizations are fighting hard to get a grip with some of the implications, not within their own organizations but with these others that they're doing business with.
CHABROW: As information moves from one organization to another, there's a supply chain there. Also, we heard about the supply chain about a year or so ago with news around the potential of Chinese manufacturers of computer and telecommunications components making their products in such a way that the Chinese government could spy on western businesses. That's another aspect to the supply chain, right?
DURBIN: The integrity of how your product has been made is of real concern, and it doesn't actually matter whether we're talking about hardware or software. If you outsource the manufacturing of anything - let's stick with software for a moment - how do you know that some of the application developers haven't put in backdoors? How can you test for that? The answer is of course you can, but then you're going to lose all of the cost benefits of actually outsourcing in the first place or of partnering because you're going to have to go through every little line item of code. It may even be easier with some of the hardware manufacturing that goes on than perhaps some of the software. That's exactly the issue; you're handing over to a third party for them to manufacturer. How do you know that what you get back is only what you asked for?
CHABROW: I want to get to that point in a moment. You're talking to people around the world about this problem. What are some of the anxieties you're hearing from different CISOS in different organizations?
DURBIN: ... You won't be surprised to hear this, but a lot of the attention has switched from China to the United States of late, and we have had a lot of debates and discussion. I know there are some CISOs out there who are really struggling with some of their projects to get them off the ground coming off the back of the NSA revelations - which continue to come out from Snowden - because there's this reluctance to embark on these things until we've actually reached a conclusion, whenever that might be.
That overall concern I suppose is around the integrity of the information: Who's listening? Who's doing what with it? How can I control it? What am I liable for? This is another issue that CISOs are really concerned about at the moment, as well as the impact on the brand. I've been really surprised by some very, very large organizations that I've been talking to recently that have said, "We're not that worried about the breach. We're not that worried about loss of data. What really could hurt us is how that's going to impact our brand." Is it that it destroys the trust that exists between the CISO and his enterprise, between the enterprise and the customer, between the enterprise and business partners? That's moving it up the agenda fairly and squarely onto the plate of the risk officer and the chief financial officer, because that in turn is going to impact stock price. Those are the sorts of concerns that we're now beginning to see, moving a long way in fact from just the issue of the security breach or the downtime, where I think we were beginning to focus for a number of months back, into what does that really mean for my business now.
Concerns Over NSA Spying
CHABROW: You're speaking from Singapore today and you're talking to a lot of people in Asia about the situation. As you suggested, there are concerns about what the NSA is doing. Are you hearing from some of the CISOs and people there that they're reluctant to maybe have contracts with American companies for example with using cloud storage?
DURBIN: I'm not actually seeing that at the moment. What I am seeing is a lot of discussion and debate. I'm seeing much more focus on the contract, on exactly what it is - if I contract with a U.S. based service provider - that they have to do? What information of mine might they have to turn over to federal authorities, for instance? It's that kind of discussion that is taking place at the moment. I've not seen any evidence of contract cancellation or anything like that. I have to say the U.S. based service providers themselves are as concerned about all of this, in my experience, as the CISOs, because this is not good for anybody.
Mitigating Supply Chain Vulnerabilities
CHABROW: Earlier you suggested it would be expensive to vet all the products that people have, taking away the advantage of either outsourcing or buying a third-party product. What are organizations to do to protect themselves from these vulnerabilities that are faced within the supply chain?
DURBIN: I think it comes back to getting things right from the beginning. It's about communication and collaboration. ... It's about having these discussions about what's expected, about how you anticipate your data, information and designs to be held and secured across the supply chain. It's about involving your legal guys. It's about involving your procurement folks. It's about conducting solid risk assessment right at the outset in terms of: Does this make business sense for us? What are the risks? How could we mitigate against them? Does it still make financial sense at the end of all of that for us to go forward and precede? And if the answer to that is yes, then fantastic. You've done your risk assessment. You then [go] from having contracted [to] making sure that you're monitoring as you go; if things are falling off the lines, then you need to remediate. There's no getting away from the fact that it's all about getting the contract right at the outset, about collaborating and communicating, and then monitoring as you go along. I guess it's about planning for what you might do if that situation that you really don't want to happen does occur and things go wrong for whatever reason. It's about going into it with your eyes open.
CHABROW: If something does goes wrong, what should they plan for?
DURBIN: Increasingly, we have to plan for the worst and hope for the best. There's no such thing as 100-percent security. That's perfection and, as we all know, perfection doesn't exist and isn't likely to any time soon. We have to plan on the basis that some things will go wrong. It's about understanding what we can live with going wrong, as opposed to what we can't. My advice would be that when you've done your risk assessment and you've determined that the risk of something going wrong is just so great, then you probably need to pull back and say, "Hang on. Could we do this in-house? Do we need to be using a third party? Is there a way we might be able to shorten our supply chain, get more control over what's going on, increase our monitoring and perhaps partner in terms of the way that we're getting this work done so that we've got some additional influence and monitoring capability?" It's those sorts of things that organizations are increasingly looking at.
The other thing that I'm hearing too is there's an increased readiness on the part of organizations that have outsourced or are working with third parties to review them on an annual basis. It's about sitting down and saying, "How are you maintaining the integrity of our information? What security processes do you have in place? Are you and have you implemented those processes that we have asked for?" Some organizations are coming up short in that, and clearly that means they need to address it. If you've contracted on that basis and at the outset, you're in good shape to have those remediation processes put in place and seen through.