IGF 2020 WS #176 Assurance and transparency in ICT supply chain security

Information

Session

Thematic Track:

Topic(s):

Capacity Development
Confidence-Building Measures
Cybersecurity Best Practices

Organizer 1: Private Sector, Eastern European Group
Organizer 2: Private Sector, Western European and Others Group (WEOG)
Organizer 3: Private Sector, Western European and Others Group (WEOG)
Organizer 4: Government, African Group
Organizer 5: Civil Society, African Group

Speaker 1: Anastasiya Kazakova, Private Sector, Eastern European Group
Speaker 2: Katherine Getao, Government, African Group
Speaker 3: Mohamed SAAD, Civil Society, African Group
Speaker 4: Dr Amirudin Abdul Wahab, Government, Asia-Pacific Group
Speaker 5: Philipp Amann, Intergovernmental Organization, Intergovernmental Organization

Format:

Round Table - Circle - 90 Min

Description:

Ensuring security in global supply chains is critical to ensuring trust in ICT and the future of the digital society. Today’s ICT products and services (and the Internet itself) are comprised of a multitude of software, hardware, or service components, more often than not produced, assembled, or provisioned by third parties. Organizations (including operators of critical infrastructure), and firms rely heavily on a multitude of third-party vendors and service providers for their operations, with each of them having some degree of connectivity and dependency, each adding to difficult-to-manage third party risk. Trust in the security, integrity and reliability of the ICT that enables the Internet is under threat. Global ICT supply chains for ICT products and services are growing all the more complex, while concerns over unintentional vulnerabilities and hidden functionalities in ICT are growing. Sophisticated, targeted cyberattacks carried out by criminals exploiting supply chain vulnerabilities aggravate the situation further. While global ICT firms have invested heavily in mitigating third-party risk, governments, particularly those in the Global South, and SMBs often lack the capacity and resources to manage ICT supply chain risk effectively. Ensuring security in global supply chains for ICT products and services is essential for trust in the Internet and society’s widespread use of ICT. This requires that components of products and services must be traceable along the supply chain and the authenticity and integrity of these components must be demonstrable throughout their life cycle. Insecure ICT undermines trust in the Internet. To address supply chain-related security concerns, governments have enacted restrictive measures, ranging from technical security reviews based on domestic standards, to data localization requirements and foreign investment restrictions. This reflects, in some cases, also the geopolitical struggles and ill-guided attempts to exercise sovereign powers over global ICT supply chains and the Internet, which may further the fragmentation of the Internet and decouple the technological and economic universes. This workshop will examine how trust in global ICT supply chains – and the ICT products and services they are developing, deploying, and provisioning – can be strengthened through objective, risk-informed, and verifiable assurance and transparency measures that enhance security, safety, stability and resilience of the Internet and underlying ICT. In order to address trust in supply chains – and trustworthiness of suppliers – the workshop will explore three particular elements (or conditions) of ICT supply chain security that shape risk and hence trust. These three elements are: (a) assessing risk and the threat landscape; (b) assurance frameworks and transparency measures; and (c) capacity and competence building. The challenges to trust in ICT supply chains need to be addressed concurrently on three levels, in coordination with government, corporate and civil society stakeholders in their respective roles as buyers/users, service operators, and vendors/manufacturers: • Technical: including standards, technical guidance, and baseline requirements for cybersecurity to ensure secure, sustainable and reliable ICT supply chains; • Operational: including advanced cyber threats and ever-changing threat landscape, multistakeholder cooperation to address third party risk in digital environment, varying levels of capacity and competence of preparedness and maturity among key actors; and • Normative: including principles, and norms for global ICT supply chain security and mechanism for accountability. The workshop will identify gaps and state need for action regarding cybersecurity, capacity building, confidence building measures, and normative development opportunities for ICT supply chain security. Input is needed from different stakeholder groups, including government, law enforcement, private sector, technical community, as well as academia and NGOs. Speakers will discuss the existing challenge to ensure that SMEs as a part of global ICT supply chains have sufficient resources to ensure the integrity, security of their networks as well as have the appropriate means to address the ICT supply chain risks and cyberthreats. Given the stated need for cybersecurity capacity building in developing countries, as cited in current UN efforts such as the UN GGE and OEWG, and the ITU Global Cybersecurity Agenda, specific attention will be paid to the Global South. The workshop will use a roundtable format to engage with the audience through discussion and gain insights to the challenges and obstacles to addressing ICT supply chain security. The agenda is structured in a way so as to foster dialogue and interaction with IGF participants. Speakers will provide expert input to start and guide the roundtable’s discussion. Agenda: 1. Introduction. The moderator welcomes onsite and online participants, outlines the aims of the workshop, outlines the landscape of ICT supply chain security, and introduces the speakers, as well as recognizes and introduces other subject-matter experts at the workshop. [10 minutes] 2. Setting the stage. Speakers provide a short opening statement on one of the three elements of ICT supply chain security according to their expertise to identify the main challenges. Participants can ask short clarifying questions. Afterward, a short online survey is used to prioritize the main challenges and possible solutions. [20 minutes]. 3. Roundtable discussion. A structured discussion with all roundtable participants to address in turn the three elements of supply chain security: (a) risk assessment and threat landscape; (b) assurance frameworks and transparency measures; and (c) capacity and competence building. Moderators will encourage onsite and online engagement and ensure that all participants have equal weight and opportunity to intervene. To guide the discussion, each section will start off with a set of guiding questions. At the start and end of each section an online survey is used to capture the audience’s views to allow for a pre/post comparison. [50 minutes]. 4. Wrap-up. Concluding remarks from the moderator and a short final statement from the speakers on what awaits us in cyberspace with regard to ICT supply chain security, and an outlook on the next steps by one of the organizers. [10 minutes] Roles and contributions of speakers: The proposers of this workshop have curated a set of speakers and senior experts who will address the topic from specific vantage points: (1) a private cybersecurity company [Kaspersky]: the current threat landscape for the global ICT supply chain, and a report on its global corporate transparency efforts, including its network of transparency centers and measures to increase confidence and trust in cybersecurity products; (2) the technical community [AUSIM]: technical and organizational measures to secure the ICT supply chain, mitigating third party risk in the Global South; the perspective of SMEs and their needs to enhance ICT supply chain security; (3) government 1 [ICT Authority, Kenya]: roles of government as an ICT buyer; the ability to assess/trust the security of ICT; (4) government 2 [CyberSecurity Malaysia]: cybersecurity capacity-building efforts, approaches to address gaps in capacity and competence, and developing policies and guidelines to ensure ICT supply chain security; and (5) law enforcement [Europol]: crime related to malicious and counterfeit ICT in supply chains, technical means and law enforcement cooperation with the technical community and cybersecurity companies to protect global ICT supply chains. Seating: To facilitate in-depth, interactive discussion between the participants and the speakers, the workshop will use a round-table format. Preparation: (1) Preparation calls will be held for speakers, moderators and organizers prior to the workshop to familiarize with each other’s viewpoints and coordinate individual contributions to ensure that the discussion will cover different perspectives. (2) To raise awareness on the topic and collect additional input from a broader community, organizers will promote and highlight the workshop on social media through their different organizations and in different communities in advance. (3) Organizers will support and coordinate with the moderator to prepare relevant questions for the discussion with the speakers and an interactive part with audience in advance. Reporting and post-workshop activities: Results of the workshop’s online surveys will be included in the reporting. The organizers commit to produce a short follow-up publication that will include key findings from the workshop. The organizers will share said report with their respective communities and, where appropriate, advocate for action based on the workshop’s findings.

Issues:

Undermined trust in ICT supply chains due to vulnerable ICT has consequences for Internet governance. The workshop will address three distinct challenges to ICT supply chain security: (a) ICT risk assessment and threat landscape: To comprehend the risk of emerging ICT and the threats against supply chains, an assessment is needed to mitigate negative consequences to security and trust. New technologies, such as 5G communications networks, create immense challenges for security while potent threat actors have the potential to undermine the benefits that emerging technologies are supposed to yield. Ensuring resilience and safety in cyberspace, through ICT supply chain security, among others, is critical for trust. b) Assurance frameworks and transparency measures: Effective assurance and transparency measures are critical to mitigate these risk. Aided by a lack of effective measures, such as assurance frameworks, technical standards and specifications, the growing politicization of ICT supply chain security leads to growing fragmentation and mistrust, which go together with stifled innovation and greater costs rather than less risk and increased resilience. (c) Capacity and competence building: Experts are needed to assess and mitigate risk. Levels of preparedness and needs of different stakeholders and regions differ subject to their national or organizational cybersecurity maturity. Given the current build-up of digital infrastructure in many developing countries and emerging markets as well as international support for cybersecurity capacity building efforts, addressing ICT supply chain risk in the countries of the Global South provides a timely opportunity to get trust and ICT security right from the start. The next billions of users who will be joining the Internet will benefit from these efforts – if done right – and be able to rely on trusted ICT and effective risk mitigation methods that do not curtail competition or innovation, or have the potential to restrict digital freedoms as a consequence of restrictive government regulation.

Policy Question(s):

The workshop will address two sets of guiding policy questions that fall into the sub-categories of the Trust track: #1 (cybersecurity policy, standards and norms), and #6 (the impact of digital sovereignty and Internet fragmentation on trust). Guiding policy questions ‘cybersecurity policy, standards and norms’: 1) What are the main existing and emerging cyber threats to global ICT supply chains? What is the modus operandi for cybercriminals and how has the threat landscape changed in this regard? 2) What are effective approaches to ensure the security and trustworthiness of ICTs and the underlying supply chains? What baseline requirements for cybersecurity should be applied to ensure security, sustainability and reliability of ICT supply chains? 3) What are the relevant norms of responsible behavior that states and industry should promote to strengthen ICT supply chain security? What are the relevant capacity building efforts that support the conditions to implement these norms? 4) What are the needs of digitally emerging countries and regions (i.e., the Global South) in this regard? What are the challenges governments in developed and/or developing countries (as a producer and/or consumer) are facing when assessing the security of ICTs and underlying supply chains? What are the needs of small and medium-sized enterprises (SMEs) regarding the ICT supply chain security? Guiding policy questions ‘impact of digital sovereignty and Internet fragmentation on trust’: (1) What are key differences in approaches, including policies and frameworks, by different states and corporate actors to address ICT supply chain security? What are existing assurance frameworks and measures and what other additional measures could be deployed to strengthen global ICT supply chain security? (2) How can objective, risk-informed, and verifiable assurance and transparency measures be developed that enhance security, safety, stability and resilience of the Internet and that will address trust in the supply chains and trustworthiness of suppliers?

Expected Outcomes:

Leveraging different stakeholder groups attending the IGF, the workshop aims at facilitating outcome-oriented discussions to gain insights on ICT supply chain security, with a focus on the situation of developing countries and emerging markets. The outcome will address challenges and possible solutions to address trust and trust deficits regarding ICT supply chain security. This will occur along three categories: (a) providing insights on current risk and threats to ICT supply chains (i.e., what are the risks and threats to ICT supply chains that lower trust in ICT?); (b) identifying effective yet practical assurance and transparency measures (i.e., what measures can be put in place to protect against these risks and threats to strengthen trust in ICT?); and (c) identifying necessary capacity and competence to manage such measures and close capacity and competence gaps (i.e., what expertise and skills are needed to effectively implement such measures and overcome shortages in staffing and expertise?). Each category will be discussed in terms of technical, operational and normative aspects to strengthen trust in ICT and contribute to a safe and resilient cyberspace. The discussion should also shed light on the broader question of the role of trust in ICT. In particular, whether technical and operational measures are sufficient to ensure trust in ICT supply chains, and if not, what normative and confidence-building measures are considered effective to possibly close a remaining trust gap. As a result of the workshop, the organizers plan to prepare a white paper that summarizes key points of the discussion to advance the conversation within the global community. In particular, the organizers will take the findings to their respective industry and government communities (e.g., share findings with ongoing initiatives at the UNG GGE and OEWG to strengthen supply-chain-security-related capacity building efforts, but also consider advocating their implementation in ongoing corporate assurance and transparency efforts).

Relevance to Internet Governance: ICT supply chain security should be a part of global discussions on Internet governance. We cannot speak about attaining the cyber-resilience of the Internet space and cyberspace without addressing the challenges of growing cyberattacks on ICT supply chains and a more sophisticated threat landscape. We cannot speak about the safety and security of the Internet and cyberspace while there are different levels of preparedness within and across different stakeholder groups – such as SMEs – and regions – such as the Global South – to address this problem since they are a part of global ICT supply chains too. We would also raise the growing politicization of the ICT supply chain agenda and, as a result of this and mistrust among states, increasingly fragmented regulation and fragmented Internet space and cyberspace. By discussing existing approaches of states to ensure ICT supply chain security through regulatory practices, we aim to identify those measures that increase fragmentation and, on the other hand, contribute to collaborative practices among states to keep the Internet space and cyberspace open and united. We would also bring a normative level of the ICT supply chain security through the discussion of how norms, including adopted by the UN General Assembly in 2015 with regard to developments in the field of information and telecommunications in the context of international security (A/70/174), could assist global efforts in increasing multistakeholder dialogue and cooperation on keeping the Internet space and cyberspace trusted and secure. By bringing other stakeholder groups – including companies, the technical community and civil society – we would also identify contributions from those stakeholders and further possible areas for multistakeholder cooperation on ICT supply chain security to ensure that the Internet space and cyberspace remain cyber-resilient as well.

Relevance to Theme: The workshop directly addresses one of the IGF 2020 tracks – Trust – by setting the goal to identify possible ways to build trust between different communities and stakeholder groups through facilitating the exchange on perspectives regarding ICT supply chain security and the main challenges to that. It will also discuss possible solutions and practical ways to both advance overall cyber-resilience through ICT supply chain security and increase synergy between different stakeholder groups toward this end. This is to counteract a tendency toward politicization in states’ approaches to ensure ICT supply chain security. Such actions, in some instances, have led to unilateral, restrictive measures, fragmentation in cyberspace, and undermined rather than strengthened trust. The workshop will also cover responsibilities, needs and proposals of all stakeholder groups involved: governments, the law enforcement community, private companies and the technical community in order to address the need of building trusted and fruitful multi-stakeholder collaboration to enhance ICT supply chain security, and therefore contribute to a more secure and trusted cyberspace. Finally, by addressing a lack in capacity in managing third party risk in ICT supply chains, especially by governments in the Global South and SMEs, this workshop will contribute to greater trust in ICT through the exchange of best practices and lessons learned from effective assurance and transparency measures in cybersecurity and resilience. From this perspective, this workshop takes a holistic approach and has direct links to other tracks: • the track ‘Data’: assurance frameworks and transparency measures for evaluating the trustworthiness and security of ICT supply chains are integral to where data is processed and managed; • the track ‘Inclusion’: as part of the global ICT supply chain, the perspectives of countries of the Global South and smaller players (SMEs) in emerging and developed markets are essential to make critical steps towards global cyber-resilience.

Discussion Facilitation:

Seating: To facilitate in-depth, interactive discussion between the participants and the speakers, the workshop will use a round-table format. Preparation: (1) Preparation calls will be held for speakers, moderators and organizers prior to the workshop to familiarize with each other’s viewpoints and coordinate individual contributions to ensure that the discussion will cover different perspectives. (2) To raise awareness on the topic and collect additional input from a broader community, organizers will promote and highlight the workshop on social media through their different organizations and in different communities in advance. (3) Organizers will support and coordinate with the moderator to prepare relevant questions for the discussion with the speakers and an interactive part with audience in advance.

Online Participation:

Usage of IGF Official Tool. Additional Tools proposed: Organizers will explore the use of audio-visual material (i.e., presentation slides, images, videos, infographics) throughout the workshop to animate the session and aid those whose native language may not be English. In addition, to further active participant interaction, there would be several brief online questionnaires offered to both the onsite and remote audience to poll participants in real-time on their views and collect feedback on the discussion. The remote moderator will make sure that all remote participants have a chance to share their views and ask questions during the workshop. Organizers will use social media to promote the workshop in the days before leading up to the IGF and share the workshop’s findings after the meeting concluded. Experts will also provide additional references and literature to the audience to present different stakeholder groups’ and regions’ perspectives on the topic.

SDGs:

GOAL 8: Decent Work and Economic Growth
GOAL 9: Industry, Innovation and Infrastructure
GOAL 10: Reduced Inequalities
GOAL 17: Partnerships for the Goals

Background Paper