The current discussion around Huawei and whether or not it should be endorsed as a supplier for 5G mobile network hard- and software has reminded us on how dependent we are on the integrity and reliability of such manufacturers and how difficult it is to trust their products if they are closed source and proprietary or otherwise hard or impossible to examine. Due to its undisputed vicinity to the Chinese government, Huawei has come under suspicion primarily by the US authorities to provide undocumented access capabilities to Chinese intelligence agencies enabling them to globally wiretap mobile communications in 5G networks.
Lessons learned from the Crypto AG scandal
Such allegations weigh heavily and if they are more than just politically inspired trade war rhetoric, we would have to profoundly change the way we look at the risks deriving from supply chains for cybersecurity-related equipment. Is it paranoid to think that governments and their secret services are evil enough to make suppliers deliver manipulated hard- and software or is it real? The most recent story about the German Secret Service BND and its US counterpart CIA covertly co-owning the former Swiss manufacturer of cryptographic hard- and software, Crypto AG, shows that some governments even go further.
Germany and the USA secretly took over a leading crypto manufacturer supplying diplomatic, military and secret services of more than 120 countries worldwide and weakened its algorithms in a way that they were able to decrypt messages without a proper key. Needless to say, neither the Soviet Union nor China were careless enough to purchase from Crypto AG, so most affected countries were, in fact, those that considered themselves the USA’s allies.
Paranoia vs. Adequate risk assessment in supplier choice
„Rubikon“, which was the German codename of this operation, makes us better understand why some governments are more paranoid than others with regards to Huawei: they simply know from their own experience that these threats are real. The fact that Crypto AG was situated in Switzerland and looked like a privately owned, comparably small company with very high expertise in cryptography, should make us think even more about the way we chose our suppliers.
The weak spots of the supply chain
The risk of purchasing security hard- and software with deliberately or accidentally built-in weaknesses looks higher than we expected – but it is not the only element of Supply Chain Risk. Supply chains can only be as strong as its weakest spot. In a world where enterprises focus on what they can do best and add everything else through supply chains, it is more critical than ever to know these weak spots and to limit the risks occurring from them. Some of the most important challenges are:
- Selecting suppliers with a low risk profile: It is very complex, expensive and inefficient to collect all necessary information needed to evaluate and quantify risks deriving from internal processes and vulnerabilities within the supplier´s organization.
- In a networked economy, the number of suppliers is increasing: Even if we manage to assess a relatively small number of suppliers that are not too big and complex, time and resources consumed by properly risk-assessing an ever-increasing number of cyber suppliers are simply getting too high.
- Most organizations underestimate cyber supply chain risks. Cyber incidents happen every day, anywhere in a supply chain. Suppliers are threatened the same way as your own company. Your supplier´s threats add to your company´s risk profile. Therefore, suppliers and their risks have to be continuously monitored, not just once.
- Cyber supply chain risks are multidimensional, with many different stakeholders involved and interfaces to privacy & data protection, risk management, compliance, controlling, and audit. Reliably building continuous assessment strategies and processes on top of such a multidimensional topic is a challenge and remains widely unsolved in many organizations.
Looking at these complex supply chain risk management challenges and adding the increasing maturity and sophistication of cyberattacks to the equation, it is the right time now to add C-SCRM to our core cybersecurity strategy.
Good practices and standards provide guidance
It doesn´t really matter whether a cyberattack or data theft is targeted directly against the infrastructure of your company or whether a supplier´s weakness is exploited to gain unauthorized access. As a first step, good practices and standards will provide enough guidance. ISO/IEC 27036:2013 as part of the ISO 27000 series describes the foundations of information security in supply chain relationships.
Furthermore, NIST has updated its Cyber Security Framework and added a chapter on “Supply Chain Risk Management”. Specifically, aside from general cyber supply chain risks, version 1.1 of the NIST Cyber Security Framework is addressing IoT/IIoT related challenges. For the first time, NIST has added a whole category specifically focused on Supply Chain Risk evaluation and assessments involving all actors, like hardware manufacturers, software vendors, cloud service providers, and other service suppliers and consumers.
Where KuppingerCole can help you to make your supply chain more secure
Communication and verification of mandatory commitments to cybersecurity requirements between all involved parties is a core aspect of C-SCRM, with regular security assessments and vulnerability scans to make sure that supply chain security standards remain high.
With the Cloud Risks and Controls Matrix (CRCM) KuppingerCole offers both a toolkit and a compendium for assisting cloud customers in assessing the overall security risk resulting from the deployment of services in the cloud.
Cyber Supply Chain Risk Management will be discussed at EIC 2020 on May 13 at 12 pm, in the Digital Enterprise Security Track. An hour session dedicated to C-SCRM will kick off with the KuppingerCole analyst talk - Necessary Components of an Effective C-SCRM. This will be followed by the panel discussion on Managing Cyber Supply Chain Risks and Achieving Digital Business Resilience. Participating in this panel will be representatives of Huawei and various international cybersecurity organizations.