A growing number of global technology companies such as Huawei, ZTE, Lenovo and Kaspersky are coming under fire recently after being criticized for having unacceptable security gaps and vulnerabilities relating to their ICT products. Distributed around the world, these ICT products have sparked debate about the safety of our technology supply chains; over where they are made, who makes them and who controls them. And today, more than even, there is a growing price to pay for loss of control over your supply chain.
The globalisation of information and technology systems has given companies large and small more opportunities for economic prosperity and success. Governments, whether they be in developing or first world countries, are given the keys to greater efficiency and connectedness through this technology. However, it is becoming exceedingly clear that companies and governments alike must conduct proper and constant due diligence when it comes to procuring ICT products. This becomes particularly poignant as one works their way up the pyramid towards government departments and agencies, critical infrastructure and holders of highly-sensitive data. These actors should not wait to learn this lesson: you either pay now, or you pay more later.
Concerns for Huawei Security
This has hit home recently, with the growing tensions between British authorities and Huawei after the company failed yet again to fix the security holes that were found in July by a British government report. The report found that technical and supply-chain “shortcomings” within the Huawei products were exposing national telecommunications networks to new security risks. After a top official walked out of a meeting with the company, Huawei pledged US$2 billion to overhaul its security to meet British standards.
However it may be too little too late, as global trust in the company has diminished rapidly. Countries including Australia, New Zealand, the US and Japan have already significantly restricted their use and access to Huawei’s products.
If this story sounds eerily familiar, it is. In October 2017, President Trump affirmed legislation banning the use of Kaspersky software and cybersecurity products within the US government. This radical move was the cherry on top of a long campaign to purge the Russian-based cybersecurity firm from US federal agencies, amidst fears it was being influenced by the Kremlin. Kaspersky went on to appeal this, but recently failed. The US Court of Appeal found that the ban was a reasonable response to security risks after hearing testimony that Kaspersky’s ties to Russia could jeopardise their product’s security integrity, with or without the company’s cooperation. Indeed, the ban was spearheaded by an official determination that the Russian government could use Kaspersky’s anti-virus software as a backdoor for espionage and hostile attacks against various information systems.
What Can You Do?
These security concerns are serious and could have intense implications for any company or government agency. However, there are simple steps you can take to analyse supply chain risks and to protect your company from these risks when procuring ICT products. There are international and national standards that are designed to provide certification and assurances for companies when looking for technology vendors, and assist in managing their information security.
The foremost is the Common Criteria Certification (CC), an international standard for computer security certification, which is part of the ISO/IEC 27000 family.
The CC gives a computer user the assurance that the security of their products has been rigorously and repeatedly tested in a way that corresponds with its target use environment. The CC was structured off a wide variety of existing standards and regulations, including the European standard ITSEC and the TCSEC standard designed by the US Department of Defense in the 1970s. By unifying these, companies and government agencies need only evaluate their ICT procurement against one set of standards that have been tried and tested for decades.
The common criteria standards are specifically:
- ISO/IEC 15408-1:2009 Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model
- ISO/IEC 15408-2:2008 Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional components
- ISO/IEC 15408-3:2008 Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance components
Utilising these standards is an essential step in managing your information security and ensuring your company is constantly and effectively monitoring its ICT supply chain. Conducting thorough due diligence into an ICT product provider must be the first step in this security process, as this can save time, money and reputation further down the track. International standards such as these should instil confidence and are deliberately designed to cover a broad scope of industries. For Australian businesses specifically, the Australian Signals Directorate provides a directory of products that have been evaluated by them and listed as safe for use in Australian and New Zealand government agencies. You can search the Evaluated Products List (EPL) here.
The concerns surrounding the security of ICT product providers around the world will likely grow, as organisations continue to build themselves upon platforms of complex and diverse networks that can both enable them but also make them vulnerable. Companies and government agencies must continually assess their supply chain risk proactively rather than reactively, conducting appropriate due diligence and repeatedly re-assessing the security of their ICT procurement. This process may be costly and time-consuming, but it is supported by a strong framework of international standards and other tools. The price is more than worth it, and if it is not paid in the beginning, it will inevitably be paid tenfold later down the track.