Critical Infrastructure Security, Supply chain, Supply chain

TIA CEO: Supply chain standard shows feds ‘they don’t have to be heavy handed’

The world recently came face-to-face with supply chain risk when nation-state hackers breached government and business alike through SolarWinds servers and other attack vectors. But supply chain controversies are nothing new to the telecommunications industry hardened by debates over Huawei.

The Telecommunication Industry Association (TIA), an industry group and standards body, recently released an interim white paper on efforts toward development of a supply chain standard for information and communications technology (ICT). SC Media spoke to TIA CEO David Stehlin about the risks, and how an emerging standard could thwart them. 

How does TIA approach a supply chain standard? 

Stehlin: We recognize that security is a subset of quality. You can't have a quality product or solution or service, unless you have built-in trust, and built-in security. But there was no ICT specific, measurable standard for security. 

What we did was look at it from a quality perspective, looked at the landscape of all the various security standards that are out there, and recognized what was needed for a security-focused quality management system intended to look at the supply chain completely and holistically to prove and verify that the solution is trusted. We're calling it, Supply Chain Security 9001.

This has been an interesting few weeks for supply chain and third-party risk, between the SolarWinds campaign and the Exchange Server vulnerabilities. But supply chain issues have come to a head before in telecommunications and ICT with Huawei, for example. What was the genesis of the standards effort?

I’ve spent 35 years in telecom. I know and I've seen how pervasive our networks are becoming. The reach is no longer just from your cell phone to somebody else's phone or from your wired phone in; it's completely pervasive through the internet with IoT devices that are managing devices in your home and in businesses. It's all connected. So the risk has gone up exponentially. That's number one. 

Number two, the networks have become much more software driven. That injects a huge amount of risk. On top of that move towards software-driven networks is the fact that a lot of software is open source. In fact, well over 90% of all solutions use some level of open-source software. Where's the provenance that's governing that, how is that managed and controlled, how do you ensure that someone doesn't do an upgrade or an update that isn't approved in advance? If you're a buyer of these services, whether you're an enterprise or even a consumer, you need to know these things. 

In the fourth quarter of 2019, we did our first landscape analysis. And then we brought the team together in the beginning of 2020. And so for the past 15 months or so now we've been working on the standard. In the first quarter of 2020, we put out our first whitepaper on this subject saying a standard was needed. It was kind of a call to action for the industry. The team has been growing significantly since then. We said at that time that it would take us about 18 months to get this thing done. We think that by the end of Q3 we'll have our first generally available release of this standard.

We knew we had to go fast. These recent issues didn't spur us to move any faster. They just reiterates the point that there needs to be a standard for supply chain security for the ICT industry.

We're at a stage now where the draft will written in the next three months or so, we'll start pilots with a number of different companies, and then we have the first generally available release. 

It’s interesting that you mention how important software is, because the supply chain issues in ICT are often posed in terms of hardware. 

Hardware, when developed, takes a long time. Software can be changed quickly and much more easily, which creates a lot of great new services and applications. As networks become more software-driven – which is fantastic from a feature perspective – we need to address the risk. 

For example, the FCC has been very supportive of what's called Open RAN. And the intent there is a good one at a high level, in that they want to create more suppliers for wireless networks. Today the supply of  wireless networks are not U.S.-based. The friendly ones are Samsung Nokia and Ericsson and then, of course, you have Huawei on the other end, using the RAN standard. But if you have an open-source version, OpenRAN, you can have other vendors provide just a piece of the network. It’s great to add more competition from U.S.-based companies, but not so good if you haven't addressed the security issues. 

So what can we expect from the supply chain standard as it moves forward? 

The new white paper talks about defining security measures, and security domain controls, and looking at things like zero trust and provenance over where your hardware comes from. There's a lot of issues on the chip side with piracy and with counterfeit chips. So, understanding those types of things, as well as the software and management of the vulnerabilities. 

Our number one move is to bring in a third-party certification body that will evaluate your product or your solution versus the standard. That certification body comes in and does an analysis, and gives you a pass-fail grade. So, this isn't a maturity-model type of standard. It's one where you have to pass a standard. The fundamental thought is trust has to be verified, you can't assume it. You have to verify trust before you have trust. 

And then what we do is we take the data anonymized and put it into a database, so that you can benchmark and measure your performance versus others that have been evaluated. And we've done this on the quality management system for ISO 9000 for the past 20 years. 

Are there any issues of contention still being discussed?

The only issues that are being debated at this point are ensuring that it's a workable standard. One of the issues that sometimes pops up is that a standard can be so overwhelming; that it's not workable. So that's why we wanted to make it relevant for our industry, where it's really measurable against things that are happening and not a generic standard. 

Both with Huawei and with SolarWinds, the government has frequently intimated it might intervene with its own supply chain regulatory actions. Why is it important for the industry to show it can handle a supply chain standard on its own? 

It's really critical that industry stay ahead of the government on this one. Nobody likes a new standard. It forces you to do things you hadn't been doing, change your behavior, probably cost you a little bit of money on the upfront side. Nobody likes a new standard, but this is an example of why a new standard is really needed for this space. Number one, because it's the right thing to do in our connected society.  Number two because industry needs to lead the government and show government that we are addressing this problem, and they don't have to be heavy handed. 

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.