The global cyber security challenges
Writer: Andy Purdy (USA Cyber Security Officer)
Resources from: Huawei Whitepaper, Huawei Technologies
Date: June 2016
While there is still no simple answer or solution to the cyber security challenge, it is increasingly apparent that there are steps the global community can take – as well as individual organizations – to drive demonstrable progress in reducing cyber security risk, including that of collaborating so as to reach an agreement on principles, laws, standards, best practices, norms of conduct and protocols – with recognition that trust has to be earned and continuously validated.
NIST cyber security framework is a tool that can help an organization to understand their risk level and chart a path toward a more appropriate and sustainable risk environment and state of preparedness.
An organization to move to a more appropriate, sustainable and transparent supply chain risk posture requires 3 things:
- Understand what supply chain risk
- Know how to address the risk
- Motivated to act by internal or external drivers and to be held accountable if they fall short
We have made the most progress on what stakeholders need to worry most about, risk awareness.
Cyber security supply chain risk.
Important tool help organizations address cyber security risks, the O-TTPS (Open trusted technology provider standard), focus on supply chain and 3rd party risk. O-TTPS mitigating maliciously tainted and counterfeit products V1.0, recognized by ISO during 2nd half of 2015.
http://www2.opengroup.org/ogsys/catalog/C139
efforts done by EastWest Institute (EWI) Global Cooperation in Cyberspace initiative to drive collaboration among key cyber stakeholders to address some major, difficult cyber issues, focus on their breakthrough group – co-led by Huawei, Microsoft and the Open Group. To promote global availability and use of more secure ICT products and services, by developing a type of framework for a risk-informed, fast-based, global level playing field for ICT products.
Critically important issue: how to motivate stakeholders who have appreciation of the importance of supply chain risk and what they need to do about it, to take the necessary actions and be held accountable if they fail in this regard. The bottom line is government and major private organizations need to step up and drive more significant, better coordinated progress to address supply chain risk if we are to be able to take full advantage of the benefits of ICT technology to make the world a better place for its citizens.
White paper focus on cyber security supply chain risk.
Organization has an understanding of its overall cyber security risk and preparedness posture, includes cyber security risk as one important component, develop and implement a plan to address it. NIST Cybersecurity framework important. The framework is an important tool help organization understand their risk and chart a path toward a more appropriate and sustainable cyber risk environment and state of preparedness. The NIST framework provides organizations with one piece of the puzzle with regard to addressing the risk they face. NIST is a standard-neutral tool to assess their own cyber security risk and preparedness that gives them the ability to set a course toward a more appropriate security posture given their risk environment, with readily accessible references to standards and best practices, based on their unique circumstances.
There are some activities taking place around the world that can contribute to the effort to address supply chain risk : SAFECode, underwriters Laboratory; the ENISA report in European supply chain integrity, the EastWest Institute’s cyber initiative; in the UK – CPNI and the trustworthy software initiative. China – cyber security and anti-terrorism legislation. Japan – government efforts to implement a strategy on supply chain risk. USA – initiatives in the energy, defense and financial sectors to address this issue
O-TTPS standard identifies and categorizes applicable technology industry-secure engineering and supply chain integrity best practices whose systematic use can make a vendor’s products worthy of being considered more secure and trustworthy by commercial or governmental enterprise customers. Accreditation is only granted after an independent 3rd party evaluator confirms it is warranted. OTTPS can help to meet the need of suppliers and buyers of ICT for greater clarity than they get from multiple standards to affect what they develop and how, and what the purchase and why.
To proactively manage cyber security in general and global supply chain risk required transparency and an even-handed, collaborative approach across our industry between and among the public and private sectors.
In 2014 white paper, Cyber Security Perspectives: 100 requirements when considering end-to-end cyber security with your technology vendors (December 2014), we detailed our top 100 requirements list, which focuses on what security-related requirements buyers of technology should consider asking of, or requiring from, technology vendors. Many countries, the number of legal and industry requirements relating to cyber security was on the increase and some governments and regulators were beginning to impose accountability and liability for failure related to cyber security issues, national critical infrastructure providers and IT service providers. Huawei anticipated optimistically that more companies will be required to detail both their approach to cyber security and the analysis and assessment they undertake to evaluate the risk from their technology vendors and service providers.
Success factors for an organization to address cyber security risks
Success factors are important part of the journey to a more secure state for individual organizations, it is essential for every organization to recognize and put into place key mechanisms informed by their experience and that of other organizations- customized for their particular industry, organizational structure and culture, and risk environment, that can help successfully manage risk. The key success factors for addressing organizational security risk are commitment, governance, clear security requirements, consistent processes, and performance metrics for individuals, internal compliance and transparency.
Organization should make commitment at all levels to address cyber security and privacy risks, systematically incorporate these risks into their risk management program as part of an over-arching strategy to inform, prioritize and address current and future risk challenges.
Clear internal governance roles and responsibilities
- Active involvement of the leadership and senior management from across the organization
- Top leadership continually monitoring the effectiveness of the management of the risk and the program implementation.
- Senior leadership must own the risk management process and its results
- The incorporation of cyber security risks into organizational risk management is vital, include the establishment of processes and mechanisms to create and implement mitigation plans, even for very unlikely occurrences.
- Have performance metrics that align with the baseline requirements
- Have consistent and replicable processes imbedded into the regular business operations of the organization, and those should be continuously improved based on changing circumstances.
- Internal compliance and verification program based on the separation-of-duties principle to enable independent assessment and continuous improvements.
- To be open and have transparency with customers and stakeholders regarding risk management progress, success and failures. This transparency, coupled with individual and organizational accountability, to dynamically address risk in the fluid risk environment.
The NIST Framework: a Tool for assessing organizational Cyber Security Risks
Prioritized, flexible, repeatable, performance-based and cost-effective approach using a voluntary risk-based set of industry standards and best practices to help organizations manage cybersecurity risks.
- The framework focuses on using business drivers to guide cyber security activities and consider cybersecurity risks as part of the organization’s risk management processes.
- The framework give organizations one piece of the puzzle concerning the risk they face-a standard- and vendor-neutral tool to assess their own level of risk and preparedness that guides them toward a more appropriate stance on security posture given their risk circumstances.
- Help organization to compare their risk management with that of suppliers and business partners.
- Starting point to better understand and improve their risk posture
- Risk analytic tool, translation engine
- Provide insight into what an organization needs to consider from a risk and preparedness perspective, and provides reference to existing standards which organizations use to inform risk evaluation and the path forward to meaningful risk mitigation and management.
Supply Chain Risk – Organizations need to understand it and address it
The risk an adversary sabotage, maliciously introduce unwanted function, subvert the design, integrity, manufacturing, production, distribution, installation, operation or maintenance of a covered system so as to surveil, deny, disrupt or degrade the function, use or operation of such system
- Threats : sabotage, tampering ,counterfeiting, piracy, theft, destruction, disruption, exfiltration, infiltration, subversion, diversion, export control violations, corruption, social engineering, insider threat, pseudo-insider threat and foreign ownership
- Examples of threats:
- Installation of malicious logic on hardware or software
- Installation of counterfeit hardware or software
- Failure or disruption in the production or distribution of a critical product or service
- Reliance upon a malicious or unqualified service-provider
- Installation of unintentional vulnerabilities on hardware or software
Tainted product is a main threat in the supply chain. It is critical task to prevent it to happen
- Establish and maintain an effective traceability system for components and products is important to minimize the risk of tainted and counterfeit products entering the supply chain.
Organizations are beginning to understand the importance of supply chain risk
The supply chain for an ICT product typically consists of hundreds or even thousands of components from a similar number of companies, involving multiple processes and geographic locations.
- At present, organizations are less likely to think about risk from suppliers and 3rd party providers and more likely to think of risk from perspective of a user or operator of a network or ICT system
- Huawei and Microsoft has long recognized the potential for hostile actors to insert malicious, unwanted and unauthorized functions or counterfeit elements or components into the global ICT supply chain, later used to disrupt or degrade technology systems or to facilitate surveillance
- Present a challenge for governments and businesses at a minimum require recognition that supply chain risk is a shared problem that necessitates cooperation among stakeholders to find solutions founded on standards and best practices and work to implement them.
Initiatives to address supply chain risks
SAFECode – The Software Assurance Forum for Excellence in Code(SAFECode) is a global, industry-led non-profit organization working to increase trust in ICT products and services by promoting availability, awareness and use of more secure and use of more secure and reliable software, hardware and services.
- SAFECode brings together subject matter experts with experience in managing complex global processes regarding software development, integrity controls and supply chain security.
- SAFECode created a framework help organization select most appropriate process-based assessment method for evaluating development process of commercial technology providers when there is no applicable international standard
8.2 Underwriters Laboratory
It is an independent global safety science company working to help safeguard people, products and places by providing comprehensive functional safety services.
- It has a testing and certification schema for product carry UL seal, indicating conformance with a specific set of requirements unique to that product.
- It has cybersecurity assurance program (CAP), working on a program for testing, rating and certifying connected devices, with an initial focus on industrial control systems and medical devices
8.3 ENISA
Report EU agency for network and information security (ENISA) – “ supply chain integrity” overview of ICT supply chain risks and challenges, vision for the way forward, recommended that supply chain participants follow good practices that provide a basis to understand and address ICT supply chain risk.
- Report recommends that governments work with the private sector to develop international frameworks to facilitate comparison assessment of ICT supply chain risk management efforts.
- The report recommends that the frameworks should be risk-based and grounded in good threat modelling, transparent, consistent, flexible, and standards-based and based on recognition of the reciprocity that characterizes international trade relations.
- ENISA report that although many countries, industries, and agencies have concerns about supply chain risk, their efforts to address these have been fragmented and lacking in coordination and that greater cooperation is necessary.
- The need for a consistent view, practices and metrics that would result in an appropriately coordinated program, in R & D, the need for independent evaluation and certification, a supply chain integrity framework, referenced above and the need to consider legislative action.
- ENISA recommends that ISO develop a framework to measure and evaluate supply chain integrity so that performance can be measured.
- ISO recognized and released the O-TTPS as a new standard shortly after the ENISA report, which indicated that supply chain integrity frameworks are a common need
8.4 Chinese Government Initiatives
- The 1st Chinese counter-terrorism law (CTL) took effect on 1.1.2016, outlines obligations for telecom and internet enterprises to cooperate with government authorities in investigating terrorism activities and these obligations may have a significant impact on the operation of internet and tech firms in china.
- Telecom and internet service providers required to support and assist efforts by government and national security authorities engaged in the lawful conduct of terrorism prevention and investigation
- CTL requires internet service providers implement network security and information and content monitoring systems, adopt technical security measures to prevent the dissemination of information contain terrorist or extremist content
- July 2015, china issued draft cyber security law, covered a range of issues, cyber security certification and inspection for critical network equipment, requirements for specialized network security products, and the security inspection of procurement of network products and service of critical information infrastructure operators. Require the localization of personal data for critical information infrastructure operators.
8.5 UK Government approach to supply chain risk
- UK, centre of the protection of national infrastructure (CPNI) has warned organizations of the national security threats that can come from ICT global supply chain (terrorism, cyber-attacks and large-scale cyber-crime)
- CPNI awareness efforts : organizations should incorporate supply chain risk as part of an existing risk management approach
- Advises organizations to implement a risk mitigation plan that includes :
- Comprehensive mapping of all tiers of the upstream and downstream supply chains to the level of individual contracts
- Risk-scoring each contract to link in to the organization’s existing security risk assessment
- Due diligence
- Accreditation
- Assurance of suppliers
- Adoption, through contracts of proportionate and appropriate measures to mitigate risk
- Audit arrangement
- compliance monitoring
- Contract exit arrangements
- UK trustworthy software initiative (TSI) supported and funded by the UK government national cyber security programme (NCSP) with a mission to help promote trustworthy software among the supply, demand and education communities in a risk-based, whole lifecycle process
- TSI created a compendium of relevant standards and best practices and incorporated it into its trustworthy software framework (TSF)
- The framework has been formalized in a British standards institution publicly available specification PAS 754:2014 “software trustworthiness – governance and management – specification.
- Include technical, physical, cultural and behavioural measures alongside effective leadership and governance techniques to address 5 key facets of trustworthiness : safety, reliability, availability, resilience and security