The reality of ubiquitous reliance on ICT has given rise to the criticality of cyber security. What may be less well appreciated is the proliferation of well-intended efforts of public-private partnerships and global governments to create standards, certification or accreditation schemes or guidelines regarding the ICT supply chain. These well-intended efforts to provide a framework for security may very well be “cooking the global ICT supply chain goose” without moving the security needle.
The keys to even remotely ensuring the success of such efforts are global alignment and commercial reasonableness—concepts easier written about than implemented. Let me posit a seemingly simple solution that is quite challenging to deploy.
Return our focus to our collective concern: securing the global ICT supply chain. International standards bodies, government regulators and certification laboratories need to remove territorial blinders and revisit the real mission: ensuring to the optimal extent possible that ICT is genuine, free from taint and will not permit control over the operations for which it is used.
Some guiding principles are needed to efficiently achieve this goal together. Let’s discuss two of these key principles. First, where a standard is already in place, we should enhance it to address missing elements rather than create entirely new schemas. Second, where taxonomy, the language we use to identify security requirements, is not aligned, it should be. Divergent definitions are not helpful to those seeking to mitigate security risk. Let me offer examples of the “good, the bad and the ugly”:
The Open Trusted Technology Provider Standard version 1.0 defines in its Glossary a Counterfeit Product as: “A product that is produced other than by, or for, the provider, or is supplied to the provider by other than a provider’s authorized channel and is presented as being legitimate even though it is not.”
SAE Aerospace Standard AS5553, Rev A Section 3.3 defines a Counterfeit Part as: “A fraudulent part that has been confirmed to be a copy, imitation, or substitute that has been represented, identified, or marked as genuine, and/or altered by a source without legal right with intent to mislead, deceive, or defraud… All counterfeit parts are fraudulent, but not all fraudulent parts are counterfeit.”
US Defense Federal Acquisition Regulation 252.246.7007, defines “Counterfeit electronic part” as “an unlawful or unauthorized reproduction, substitution, or alteration that has been knowingly mismarked… or otherwise misrepresented to be an authentic, unmodified electronic part from the [OEM], or a source with [its] express written authority…” It expands to include “Suspect counterfeit electronic part” as a part for which credible evidence… provides reasonable doubt that the electronic part is authentic.”
Conflicting guidance, standards and regulations cause confusion rather than clarity. Reasonable doubt has not proven a model of clarity in the criminal arena. Nor will layers of complexity created by intertwining concepts of “counterfeit,” “taint,” “fraudulent” and the latest – “substandard,” currently under discussion in the United Nations’ International Telecommunication Union.
The core of our global ICT infrastructure is built on commercial technology. Clarity and commercial reasonableness is essential to securing it. Future success requires agreement on three key elements:
1. A single taxonomy;
2. A set of foundational practices; and
3. The flexibility to deploy the right security for each OEM’s supply chain.
Only together can we be worthy of our customers’ trust.