Assessing the trustworthiness of ICT supply chains: why and how?

Anastasiya Kazakova, Public Affairs Manger

Growing in both complexity and scale, supply chain attacks have shown that the security of ICT supply chains is no longer a concern for companies’ procurement teams only. Economic losses and the revealed vulnerability of some critical infrastructure after the WannaCry and NotPetya attacks in 2018 made governments and policy makers think about measures regarding ICT supply chain resilience in order to secure societies and economies and ensure national security (for the latter, some governments even went forward with ‘naming and shaming‘ other states to whom they attributed those attacks).

These days the rapid roll-out of emerging technologies, including 5G connected devices in ‘smart industries’ and ‘smart cities’ (the Internet of Things), cloud computing makes the situation more complex for decision-makers: How to approach these new technologies? How to ensure ICT supply chain security? What are the appropriate technical and organizational measures that should be applied? How to assess the trustworthiness of ICT products?

The first normative attempts to address this challenge by policy makers have already been made. For instance:

• In January 2020, the European Commission adopted the 5G security toolbox listing eight strategic measures (such as better risk assessment), 11 technical measures (such as establishing baseline security requirements and ensuring compliance with them; strict access controls, etc.), and 10 supporting actions (such as guidelines and best practices, 5G standardization and certification, better cooperation and coordination, etc.);
• In June 2019, the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) produced the Cyber Supply Chain Risk Management Practitioner Guide, identifying four steps to manage risk.

At the same time, the UN Institute for Disarmament Research (UNIDIR) recently published a comprehensive review of existing normative responses to ICT supply chain risks together with a technical compendium – detailed information on particular normative frameworks and initiatives in this field.

However, little attention has been paid to non-technical aspects in assessing the trustworthiness of ICT products and ICT supply chains, i.e. their regulatory and corporate environment, management and organizational culture. And here we support experts that also call on policy makers to clearly define non-technical criteria and establish a framework for assessing the trustworthiness of ICT suppliers.

The industry has come forward with several suggestions on that – the Industrial Internet Consortium (IIC) has just announced its best practices for software trustworthiness. Written for developers, owner-operators and decision makers, the whitepaper not only addresses the critical aspects of creating trustworthy systems, but put a big focus on the confidence issue in the software – “if you want to convince others that your software should be trusted, you must be transparent, providing concrete evidence of best practices”. And this is true – if you are not transparent about how your technology works, customers won’t buy it. If they don’t understand it, they won’t trust it.

Kaspersky was one of the earliest pioneers in promoting greater transparency about product security, data management and business processes. We now openly share what we learned with the community and try to emphasize the importance of institutional trust and confidence in a supplier’s product while assessing its trustworthiness. The highest level of assurance cannot be achieved by simply inspecting technical aspects of this product. Broader environment-related, management and organizational culture issues need to be addressed to measure user trust in software.

So what are these issues, and what non-technical aspects have to be included in an evaluation for making better-informed decisions while inspecting the trustworthiness of ICT products? We shared them in the IIC’s publication and consider them to be as follows:

• Description and analysis of the surrounding business environment where the software is produced, including legal and political factors, governing laws and norms of behavior;
• Transparent communication over management-related and organizational processes for software development confirmed through an audit or certification, either by an independent third party or self-attestation, depending on your organization’s need for independent validation;
• Transparent reporting of the company’s practices relating to data management practices of their software products, updates and operational connections and interactions back to the developing organization or to a service provider;
• Ability to assess the developing organization’s internal development and maintenance processes. Software must be managed carefully with change control mechanisms that only allow authorized parties to modify the code and that enables changes to be tracked.

There may be different ways to implement these best practices above. For instance, we developed the concept of Transparency Centers in cybersecurity and a three-layer approach to provide timely firsthand information about how Kaspersky’s products work and how data management is organized at our company. We also provide the opportunity to review the source code and run a compilation process to build a new product from that code to assess how similar it may be with our publicly available products. Our approach may not work for everyone (as opening Transparency Centers is quite costly), but, for us, we considered it the right thing to do. And we will continue sharing our experience and lessons learned with other companies, policy makers and the community at large to identify new ideas and visions to secure global ICT supply chains. Because security matters.