IGF 2020 WS #176 Assurance and transparency in ICT supply chain security

Information

Session

Time:

Thursday, 12 November, 2020 - 09:00 to 10:30 UTC

Room:

Room 3

About this Session:

This workshop will examine how trust in global ICT supply chains – and the ICT products and services they are developing, deploying, and provisioning – can be strengthened through objective, risk-informed, and verifiable assurance and transparency measures that enhance security, safety, stability, and resilience of the Internet and underlying ICT.

Thematic Track:

Trust

Topic(s):

Capacity Development
Confidence-Building Measures
Cybersecurity Best Practices

Organizer 1: Anastasiya Kazakova, Kaspersky
Organizer 2: Arnaud Dechoux, Kaspersky
Organizer 3: Andreas Kuehn, EastWest Institute
Organizer 4: Katherine Getao, Ministry of Information, Communications and Technology, Kenya
Organizer 5: Mohamed SAAD, AUSIM

Speaker 1: Anastasiya Kazakova, Private Sector, Eastern European Group
Speaker 2: Katherine Getao, Government, African Group
Speaker 3: Mohamed SAAD, Civil Society, African Group
Speaker 4: Dr Amirudin Abdul Wahab, Government, Asia-Pacific Group
Speaker 5: Philipp Amann, Intergovernmental Organization, Intergovernmental Organization

Format:

Round Table - Circle - 90 Min

Description:

Ensuring security in global supply chains is critical to ensuring trust in ICT and the future of the digital society. Today’s ICT products and services (and the Internet itself) are comprised of a multitude of software, hardware, and service components, more often than not produced, assembled, or provisioned by third parties. Organizations (including operators of critical infrastructure), and firms rely heavily on a multitude of third-party vendors and service providers for their operations, with each of them having some degree of connectivity and dependency, each adding to difficult-to-manage third party risk. At the same time, sophisticated, targeted cyberattacks carried out by criminals exploiting supply chain vulnerabilities aggravate the situation further.

While global ICT firms have invested heavily in mitigating third-party risk, governments, particularly those in the Global South, and SMBs often lack the capacity and resources to manage ICT supply chain risk effectively. To address supply chain-related security concerns, some governments have also enacted restrictive measures, ranging from technical security reviews based on domestic standards to data localization requirements and foreign investment restrictions. This reflects, in some cases, also the geopolitical struggles and ill-guided attempts to exercise sovereign powers over global ICT supply chains and the Internet, which may further the fragmentation of the Internet and decouple the technological and economic universes.

Additional sources:

'Weathering TechNationalism: A Security and Trustworthiness Framework to Manage Cyber Supply Chain Risk', the EastWest Institute (EWI), https://www.eastwest.ngo/technationalism;
'Software Trustworthiness Best Practices Whitepaper', the Industrial Internet Consortium® (IIC™), https://www.iiconsortium.org/pdf/Software_Trustworthiness_Best_Practices_Whitepaper_2020_03_23.pdf;
'Supply Chain Security in the Cyber Age: Sector Trends, Current Threats and Multi-Stakeholder Responses', Oleg Demidov & Giacomo Persi Paoli, UNIDIR https://unidir.org/publication/supply-chain-security-cyber-age-sector-trends-current-threats-and-multi-stakeholder.

Issues:

The interactive moderated discussion will take place with experts representing different stakeholder groups and regions and exploring three particular elements (or conditions) of ICT supply chain security that shape risk and hence trust:

assessing risk and the threat landscape;
assurance frameworks and transparency measures; and
capacity and competence building

The challenges to trust in ICT supply chains need to be addressed concurrently on three levels, in coordination with government, corporate and civil society stakeholders in their respective roles as buyers/users, service operators, and vendors/manufacturers: technical, operational, and normative.

The session will take place with interventions from the audience to ensure a fruitful dialogue and exchange of views.

Policy Question(s):

The workshop will address two sets of guiding policy questions that fall into the sub-categories of the Trust track: #1 (cybersecurity policy, standards and norms), and #6 (the impact of digital sovereignty and Internet fragmentation on trust).

Guiding policy questions ‘cybersecurity policy, standards, and norms’:

What are the main existing and emerging cyber threats to global ICT supply chains?What is the modus operandi for cybercriminals and how has the threat landscape changed in this regard?
What are effective approaches to ensure the security and trustworthiness of ICTs and the underlying supply chains? What baseline requirements for cybersecurity should be applied to ensure security, sustainability and reliability of ICT supply chains?
What are the relevant norms of responsible behavior that states and industry should promote to strengthen ICT supply chain security? What are the relevant capacity building efforts that support the conditions to implement these norms?
What are the needs of digitally emerging countries and regions (i.e., the Global South) in this regard? What are the challenges governments in developed and/or developing countries (as a producer and/or consumer) are facing when assessing the security of ICTs and underlying supply chains? What are the needs of small and medium-sized enterprises (SMEs) regarding the ICT supply chain security?

Guiding policy questions ‘impact of digital sovereignty and Internet fragmentation on trust’:

What are key differences in approaches, including policies and frameworks, by different states and corporate actors to address ICT supply chain security? What are existing assurance frameworks and measures and what other additional measures could be deployed to strengthen global ICT supply chain security?
How can objective, risk-informed, and verifiable assurance and transparency measures be developed that enhance security, safety, stability, and resilience of the Internet and that will address trust in the supply chains and trustworthiness of suppliers?

Expected Outcomes:

The outcome will address challenges and possible solutions to address trust and trust deficits regarding ICT supply chain security in terms of technical, operational, and normative aspects to strengthen trust in ICT and contribute to safe and resilient cyberspace.

The discussion will shed light on the broader question of the role of trust in ICT. In particular, whether technical and operational measures are sufficient to ensure trust in ICT supply chains, and if not, what normative and confidence-building measures are considered effective to possibly close a remaining trust gap.

As a result of the workshop, the organizers plan to prepare a white paper that summarizes the key points of the discussion to advance the conversation within the global community.

Relevance to Internet Governance: ICT supply chain security should be a part of global discussions on Internet governance. We cannot speak about attaining the cyber-resilience of the Internet space and cyberspace without addressing the challenges of growing cyberattacks on ICT supply chains and a more sophisticated threat landscape. We cannot speak about the safety and security of the Internet and cyberspace while there are different levels of preparedness within and across different stakeholder groups – such as SMEs – and regions – such as the Global South – to address this problem since they are a part of global ICT supply chains too. We would also raise the growing politicization of the ICT supply chain agenda and, as a result of this and mistrust among states, increasingly fragmented regulation, and fragmented Internet space and cyberspace.

By discussing existing approaches of states to ensure ICT supply chain security through regulatory practices, we aim to identify those measures that increase fragmentation and, on the other hand, contribute to collaborative practices among states to keep the Internet space and cyberspace open and united.

Moderator:

Andreas Kuehn, Private Sector, Western European and Others Group (WEOG)

Online Moderator:

Arnaud Dechoux, Private Sector, Western European and Others Group (WEOG)

Rapporteur:

Arnaud Dechoux, Private Sector, Western European and Others Group (WEOG)

Online Participation:

Additional Tools proposed: Organizers will introduce gamification elements to the workshop with the help of Kahoot games and virtual polls to seek the audience's views on ICT supply chain security.

SDGs:

GOAL 8: Decent Work and Economic Growth
GOAL 9: Industry, Innovation and Infrastructure
GOAL 10: Reduced Inequalities
GOAL 17: Partnerships for the Goals

Agenda:

Agenda: 1h 30 min

Welcome word & introductory remarks by the moderator [5 min].

ICT Supply Chain Threat Landscape

Discussion on risks and cyberthreats to ICT supply chains: views by experts and reflections to questions from the audience [25 min].

Building confidence in ICT supply chains

Discussion on approaches to ensure the security and trustworthiness of ICTs and the underlying supply chains as well as to enhance assurance and transparency in ICT supply chain security: views by experts and reflections to questions from the audience [25 min].

Closing the capacity and competence gap

Discussion on how to strengthen ICT supply chain security through relevant norms of responsible behavior in cyberspace and what capacity building efforts could facilitate this process: views by experts and reflections to questions from the audience [25 min].

Wrap-up

Concluding remarks by the moderator and experts [10 min].

Report

1. Key Policy Questions and related issues:

What are the main existing and emerging cyber threats to global ICT supply chains?

What are effective approaches and measures to ensure ICT and supply chain security and trustworthiness? What are the relevant norms of responsible behavior that states and industry should promote to strengthen ICT supply chain security?

What are the needs of digitally emerging countries and regions (e.g., the Global South) as well as the needs of small and medium-sized enterprises (SMEs) regarding ICT supply chain security?

2. Summary of Issues Discussed:

Areas of broad support:

Ensuring security and trust in global supply chains for ICT products and services is essential for the digital transformation, however, sophisticated, targeted cyberattacks can undermine this process and pose a serious threat.
Governments, particularly those in the Global South, and SMEs often lack the capacity and resources to manage ICT supply chain risk effectively.
Transparency about ICT security and related processes, including how security vulnerabilities are handled, is extremely important.
Certification for modern ICT products and services is one of the solutions to enhance ICT security and, therefore, a buyer’s confidence in digital products.
Building trusted multi-stakeholder ecosystems/partnerships are important for capacity building, awareness-raising, and, therefore, effective mitigation of ICT supply chain risks.

Areas needing further discussion and development:

Enforcing good security practices and responsible behavior requires effective accountability measures across the ICT ecosystem. Further discussion is needed regarding the design, implementation, and enforcement of accountability measures. Establishing universal criteria for assessing security and trustworthiness for ICT and vendors can provide practical guidance for government and SME ICT buyers. These risk-informed criteria help buyers to select trustworthy technology.
TechNationalism and the increasing politicization of global ICT supply chains have led to calls for economic and technological decoupling, which poses a host of challenges, including the fragmentation of the Internet. Further discussion is needed to define effective, widely accepted ICT supply chain risk approaches and measures that take national security concerns into account while balancing commercial interest and innovation.
It is an open question if the ICT security certification is sufficient for building confidence and trust in technology. There were also different views if the certification and ICT supply chain security overall should be voluntary and based on voluntary industry commitments or required by law.

3. Key Takeaways:

Capacity building is critical, especially for developing regions and countries in the Global South and SMEs, which often lack the capacity, training, and resources to manage ICT supply chain risk effectively.
Building trusted multi-stakeholder ecosystems and partnerships are important for global capacity building, awareness-raising, and education to effectively mitigate ICT supply chain risks.
Transparency about ICT security and ICT security processes, including how security vulnerabilities are handled, is extremely important.
Guidelines for determining trustworthy ICT and technology vendors, based on international standards and risk management should be developed.
ICT security certification is one of the approaches that has received renewed attention, particularly in the EU and the US. However, implementing and scaling ICT certification across entire ICT supply chains are in an early stage.
Negotiations at the UN are important for developing and implementing norms of responsible behavior that address global ICT supply chain security. Coordination prevents fragmented approaches for tackling ICT supply chain risk and security.

4. Policy Recommendations or Suggestions for the Way Forward:

What policy sector(s) does this fall under? (leave blank if not sure):

Economic

Technical

Overarching governance issues

Issue and Recommendation:

Lack of capacity and resources in the Global South and among SMEs to address ICT supply chain security. Therefore, capacity-building efforts at global, regional and local levels are critical.

Who should take it?:

Governments, private sector, civil society and intergovernmental organizations

What policy sector(s) does this fall under? (leave blank if not sure):

Economic

Technical

Issue and Recommendation:

Lack of transparency about ICT security and related processes. ICT security vulnerabilities can be exploited by threat actors. Therefore, universal criteria that enhance transparency and strengthen the adoption of secure, trustworthy technology and vendors should be promoted.

Who should take it?:

Governments, private sector entities, including ICT manufacturers. UN negotiations should help set priorities, operationalize and coordinate activities by the different Member States.

What policy sector(s) does this fall under? (leave blank if not sure):

Technical

Issue and Recommendation:

ICT supply chain threats are not always visible or reported to LEA and cybersecurity experts. Therefore, greater cooperation and trusted partnerships between governments, including LEA community and cybersecurity professionals, is important for enhancing operational resources, including training and education, and expanding information sharing.

Who should take it?:

Governments, intergovernmental organizations (e.g., Europol, INTERPOL) and private sector entities should invest more in cooperating with each other and building trusted partnerships.

6. Final Speakers:

Speaker 1: Anastasiya Kazakova, Private Sector, Eastern European Group
Speaker 2: Katherine Getao, Government, African Group
Speaker 3: Salah Baina, Civil Society, African Group
Speaker 4: Dr Amirudin Abdul Wahab, Government, Asia-Pacific Group
Speaker 5: Philipp Amann, Intergovernmental Organization, Intergovernmental Organization

Moderator: Andreas Kuehn, EastWest Institute

7. Reflection to Gender Issues:

The discussion did not focus on gender-related issues in addressing the ICT supply chain security.

8. Session Outputs:

Ensuring security and trust in global supply chains for ICT products and services is essential for the digital transformation, however, sophisticated, targeted cyberattacks undermine this process and pose serious threats to cyberspace security and stability.
Governments around the world and particularly those in the Global South and SMEs often lack the capacity and resources to manage ICT supply chain risk effectively. However, more efforts are currently taken to increase awareness and enhance education and skills in the community. Livres blanc by AUSIM, Morocco http://www.ausimaroc.com/livre-blanc-la-transformation-digitale-au-maroc/ and CyberGuru courses from CyberSecurity Malaysia https://www.cyberguru.my/ have been mentioned as examples.
Transparency about how the technology works as well as how ICT security vulnerabilities are handled is extremely important. Kaspersky’s Global Transparency Initiative is one of the examples that aims at increasing transparency about the firm’s engineering and data management practices to strengthen trust in technology. https://www.kaspersky.com/transparency-center
Geopolitical tensions between governments and fragmentation in managing ICT supply chain risks pose an increasing challenge for the ICT ecosystem and ICT security. The issue of Technology Nationalism and its implications on supply chain securtiy has been thoroughly studied by the EastWest Institute’s report 'Weathering TechNationalism: A Security and Trustworthiness Framework to Manage Cyber Supply Chain Risk', https://www.eastwest.ngo/technationalism
Enhancing product security is important. To that end, security baseline requirements must be developed and implemented. The Geneva Dialogue – an international conversation led by the Swiss Federal Department of Foreign Affairs and the Diplo Foundation – has been identified as an effort that promotes baseline security requirements. https://genevadialogue.ch/
Certification and labels for modern software products and services are one of the working solutions to enhance product security and, therefore, people’s confidence in digital products. The example of currently developing cybersecurity certification schemes in the EU has been mentioned. https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-certification-framework
Building trusted multi-stakeholder ecosystems and partnerships are important for capacity building, awareness-raising, and, therefore, effective mitigation of ICT supply chain risks. NoMoreRansom has been cited as one of the successful examples of public-private partnerships. https://www.nomoreransom.org/

9. Group Photo:

10. Voluntary Commitment:

Kaspersky commits to invest into enhancing cyber-resilience of the ICT ecosystem through its Cyber Capacity Building Program – dedicated training on product security evaluations for governments, academia, and companies.
The EastWest Institute commits to assemble and maintain a set of essential ICT supply chains security resources to support global cyber capacity building efforts for ICT and supply chain security, in collaboration with its global network of partners in governments, industry, academia, and civil society.

Main menu

IGF 2020 WS #176 Assurance and transparency in ICT supply chain security

Information