SUPPLY CHAIN RISK MANAGEMENT: HOW TO BETTER PROTECT THE “DIGITAL ARTERIES” OF GLOBAL ECONOMY

Igor Kumagin, Senior Project Manager

Andrey Ochepovsky, Public Affairs Manager

In the era of comprehensive economic globalization, the role of supply chains can be hardly overestimated. Serving as a connection of different stages of production, they actually facilitate global division of labor and thus allow the whole world economy to develop and move forward.

In the recent years, everyone could have witnessed detrimental effect of any break in supply chains’ functioning – most notably, during the COVID-19 pandemic, when closed borders entailed disruption of supply chains, what, in turn, almost put entire global economy on hold, having brought the world on the verge of economic crisis.

However, it’s not only ‘real-life’ viruses that threaten the integrity of supply chain. We can observe constantly growing attempts to utilize malicious software for disrupting supply chains. Unsurprisingly, this issue catches attention of both national governments and leading private stakeholders, and is actively debated on most influential international venues including the United Nations and the Geneva Dialogue.

Kaspersky, as a major global cybersecurity vendor, can’t but proactively participate in discussing the ways of effective supply chain risk management. In particular, we provided remarks on supply chain risk management during another round of the informal dialogue (July 11) under the aegis of the Open-Ended Working Group on security of and the use of ICT.

The input includes, inter alia, a set of recommendations to enhance supply chain cybersecurity.

#1. Cybersecurity of every link matters

In providing security for supply chains, it is important to take into account the fact that a vulnerability of a single element poses substantial risks for the whole supply chain as cybercriminals try to find and exploit the weakest link to perform cyberattacks. In this regard, all elements of supply chains, as well as their producers and distributors, should be the subject to a comprehensive assessment aimed at identifying potential risks.

#2. Incentivize suppliers and customers to use only safe ICT products and services

In our view, effective policy in supply chain risk management can be developed and implemented only by working with both suppliers and customers of ICT products and services. On the one hand, governments could consider introducing relevant regulation combined with non-binding guidelines (for example, self-attestation mechanisms) that would establish comprehensive evidence-based certification schemes for ICT vendors. On the other, a framework should be developed that would incentivize customers to prioritize the safety of products and services they procure. We believe that only such a two-pronged approach could greatly contribute to promoting production and use of secure IT solutions in supply chains while simultaneously eliminating loopholes for utilization of vulnerable IT products and services.

#3. Promote transparency among ICT suppliers

At the same time, the corporate sector (for instance, ICT vendors) could also contribute to the creation of an effective supply chain risk management framework. This could be done, in particular, through implementing self-evaluation mechanisms as well as through enhancing transparency for potential customers. To illustrate, Kaspersky, for its part, implements the Global Transparency initiative (GTI) aimed at proving the security and trustworthiness of its solutions to existing and potential partners through demonstration and verifiable testing^[1]. We advocate for other IT vendors to develop and implement similar mechanisms to promote transparency and thus security of the industry overall.

#4. Be careful with open-source code

Particular attention should also be paid to the issues connected with the use of open-source code in creating ICT solutions for supply chains. Although it provides ample opportunities for ICT developers worldwide, the utilization of open-source software without appropriate precaution measures poses significant risks for supply chains as it has more vulnerabilities and thus might be prone to exploitation by malicious actors. In order to counter these threats, collaborative private-public measures need to be developed to enhance the trustworthiness of open-source software. The corporate sector could also positively contribute to securing open source components. In particular, IT leading vendors could invest in developing secure-by-design open source modules that can be used by all industry members including small and medium-sized businesses.

In conclusion, Kaspersky firmly supports efforts aimed at strengthening international dialogue on supply chain risk management. In our view, the focus here could be on improving mechanisms for sharing and implementing best practices, including, webinars and other forms of training. In this regard, we also support the idea of establishing a voluntary glossary of key technical ICT terms to promote mutual understanding. At the same time, we believe that the corporate sector could play a greater role in promoting the building of cyber capacity with respect to supply chain risk management, as leading ICT vendors, including Kaspersky itself, already have a wealth of experience in providing training to cyber authorities, other government agencies and businesses around the world, particularly, in developing countries.

1. In June, the GTI marked its 5th anniversary. You can find major highlights here