3 principles to reinforce digital trust in supply chains

(Credit: Unsplash)

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Georges de Moura, Head of Industry Solutions, Platform for Shaping the Future of Cybersecurity and Digital Trust, World Economic Forum & Christophe Blassiau, Senior Vice-President, Cybersecurity and Global CISO, Schneider-Electric


Cyber-threats are increasing with the transformation of digital life in the wake of the pandemic.

• A risk-based approach is needed to safeguard the software and systems that underlie digital supply chains.

• The procurement process, third-party agreements and source code are areas of concern.

The ongoing digital transformation has opened up a whole new way of living and working. As deeper performance insights and new levels of connectivity allow businesses to reap the benefits of breakthrough technologies, the world is becoming faster, more flexible and more efficient. This shift is creating a global ecosystem where physical and digital things are increasingly connected, from critical infrastructure assets to people and data.

A study by Gartner finds that in 2019, 60% of organizations worked with more than 1,000 third parties, and those networks are only expected to grow. Other research by Deloitte shows that 40% of manufacturers had their operations affected by a cyber-incident during 2019. And in 2018, the average financial impact of a data breach in the manufacturing industry was $7.5 million.

Moreover, global technology supply chains are increasingly diverse and complex, resulting in changes in the overall risk for critical systems that support national defence, vital emergency services and critical infrastructure.

In December 2020, a global cyber-intrusion campaign was uncovered by a leading cybersecurity firm that compromised first the source code and then subsequently updates to SolarWinds’ Orion Platform, a widely deployed IT management software product. The corrupted update was downloaded by thousands of SolarWinds customers and spanned US government agencies, critical infrastructure entities and private-sector organizations. Though this cyberattack may be unprecedented in scale and sophistication, it is consistent with a number of persistent trends in using supply chain vectors.

This incident further reinforced the threat to global digital supply chains and the strategic imperative for public and private sector stakeholders to ensure trust in the digital ecosystem. It is critical that the software that drives the digital ecosystem is both trusted and secured. By reducing the risks and protecting the digital economy, our society will be able to realize the digital dividends of the Fourth Industrial Revolution.

Possible risk-management approaches across the supply chain
Possible risk-management approaches across the supply chain Image: Schneider Electric

The following core principles will contribute to a more secure and resilient supply chain and help move the needle on mitigating this complex and multifaceted challenge:

1. Embed security and privacy in the procurement process and life cycle

Having a mature third-party risk-management policy and practice will ensure cybersecurity and privacy are constantly considered and addressed with mature, consistent, repeatable and effective measures. These three precepts will embed them in every phase of the life cycle:

  • Cybersecurity and privacy are built-in requirements of the procurement processes from sourcing to off-boarding
  • All procurement contracts shall stipulate and contain clear and precise clauses that enforce continual compliance with cybersecurity and privacy requirements.
  • Security and privacy obligations shall be continuously reviewed and optimized to keep up with the evolving threats.

2. Take a risk-based approach in assessments of third parties

A risk-based approach will help guide the third-party acceptance/rejection decision-making process, and helps efficiently and accurately mitigate cybersecurity threats third parties pose to the broader ecosystem.

  • A risk-based approach improves the assessment of third parties’ security posture. By applying risk measurement and ratings tools and other trusted methodologies, organizations can better identify and rank third-party relationships by risk criticality.
  • It ensures an accurate appreciation of risk, helps establish the measures third parties must take to mitigate their risks before entering an agreement with an entity and enable regular and/or continuous security performance monitoring.
  • It contributes to a collaborative and valuable outcome for an organization and its broader ecosystem.
  • It helps tailor mitigation plans and scale efforts and resources that ensure trustworthy, secure, privacy-protective and resilient products, systems and services. But it also helps third parties better understand gaps in their own security posture and, ultimately, demonstrate their cybersecurity maturity to their customers and stakeholders.

3. Implement a source code policy and secure-by-design development

Such a policy aims to reduce the risks around the development, management and distribution of software and software source code, which must go beyond defending intellectual property and address customer impact. It will help protect and strengthen trust in the digital ecosystem so businesses, governments and individuals can all have trust in, contribute to and benefit from the digital economy.

  • The policy should apply to all source code written by or on behalf of an organization and must ensure that any source code is not tampered with, does not contain any known unmitigated security vulnerabilities and contains a licenxe that is compatible with the company’s other policies. It also prevents source code from being dynamically linked to third-party hosted source repositories. When third-party code is used as part of a software/firmware solution, the organization is responsible for change management as part of a secure development process.
  • The policy also controls and governs all aspects of how the source code is stored and transmitted, including, but not limited to authorization and access, residency, protection at rest and protection in transit. Ensuring compliance to this policy will help reduce the threat of source code leakage, improves secure access and enables the traceability of any third-party code. Additionally, source-code development must include security and privacy in the design phase, and evidence of threat modelling must be documented.
  • The policy should be based on widely recognized frameworks such as the NIST framework to establish secure-by-design development practices, covering four areas:

1. Ensure that the organization’s people, processes and technology are prepared to perform secure software development at the organization level and, in some cases, for each individual project.

2. Protect all components of the product from tampering and unauthorized access

3. Produce well-secured products that have minimal security vulnerabilities in its releases.

4. Identify vulnerabilities in product releases and respond appropriately to address them and prevent similar vulnerabilities from occurring in the future.

By regularly assessing the security posture of third parties, from early sourcing stages, to security due diligence and periodically throughout the duration of a collaborative relationship, an organization will be able to maintain trust with its customers and business partners across the supply and value chains.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority. https://www.youtube.com/embed/3JY4BZfV_LA?enablejsapi=1&wmode=transparent World Economic Forum | Centre for Cybersecurity

Our community has three key priorities:

Strengthening Global Cooperation – to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology – to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience – to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

A common understanding and approach to existing and emerging threats will enable industry and government actors to implement appropriate countermeasures to mitigate supply chain security risks. In the fallout of the SolarWinds incident, it is crucial all stakeholders in the supply and value chains embrace a risk-informed cybersecurity approach to ensure a secure and resilient ecosystem.

the sting Milestones

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Social Committee slams the 28 EU leaders for false promises

The Commission calls for a climate neutral Europe by 2050*

Commission launches initiative for more sustainable cocoa production

Is the English language too powerful?

Refugee crisis update: EU seeks now close cooperation with Africa while Schulz is shocked to witness live one single wreck full of immigrants

A Sting Exclusive: “Our ambition is by 2020 Indonesia to become an emerging power of World’s Maritime Access”, reveals the Chargé d’Affaires at the Embassy of Indonesia in Brussels, treating WEF, ASEAN and EU-Indonesia relations on the eve of the World Economic Forum East Asia 2015 in Jakarta

COVID-19: Why we must take the widescreen view of workforce uncertainty

Congolese expelled from Angola returning to ‘desperate situation’: UN refugee agency

New seat projections for the next European Parliament

This Syrian national has been trapped at Kuala Lumpur airport for 3 months

Thought AIs could never replace human imagination? Think again

State aid: Commission approves €6 billion German measure to recapitalise Lufthansa

UN updates guidelines to ensure successful return to civilian life for former combatants

As fighting in Libya escalates, so does number of children ‘at imminent risk of injury or death’

Ebola in DR Congo: conflict zones could constitute ‘hiding places’ for the deadly virus – WHO chief

China is now heavily endorsing its big investment flow in the Central Eastern European (CEE) countries

5G will drive Industry 4.0 in the Middle East and Africa

EU consumers will soon be able to defend their rights collectively

Trump badly cornered at home by agribusiness and steel consumer lobbies: Trade

Migration surge leaves children stranded, begging on Djibouti’s streets

The EU Commission fails to draw the right conclusions about corruption

Madagascar: UN Secretary-General reaffirms support for electoral process

Art, mental health and suicide: different strategies for increasing access to health services

Statement by the European Parliament ahead of the 10 April Brexit Summit

EU elections update: Can the EU voters vote unaffected from fake news and online disinformation?

Germany openly seeks more advantages for its banks

Is climate change making allergy season worse? These scientists think so

The ECB again takes care of the bankers not the people

This new programme could hold the key to solving global health challenges

UN-led Yemen ceasefire monitoring team gets ready to begin operations

Here’s how community lending could help refugees find their feet

UK: Crawley group wins European Citizens’ Prize

This opera company is helping people in their recovery from COVID-19

Quality education an ‘essential pillar’ of a better future, says UN chief

EU budget: Making the EU fit for its role as strong global actor

Terrorism ‘spreading and destabilizing’ entire regions, Guterres warns States, at key Kenya conference

Climate change could be making forests shorter – this is how

This US city put an algorithm in charge of its school bus routes and saved $5 million

‘Forgotten crisis’ in Cameroon, with attacks on the rise, millions in need of ‘lifesaving assistance’

Amazon indigenous groups want to create a nature sanctuary the size of Mexico

Ebola situation worsening in DR Congo, amidst growing ‘funding gap’ UN health agency warns

Talent, not technology, is the key to success in a digital future

Here’s how the global financial crisis is still affecting your wages

The success story of a Chinese investment in the Greek port of Piraeus

Africa must ‘value youth’ in the drive towards lasting peace, young envoy tells Security Council

Climate negotiations on the road to a strong Paris agreement rulebook

Health inequalities: private healthcare providers versus state healthcare providers

GSMA Announces New Keynote Speakers, Event Updates for 2019 “MWC Los Angeles, in Partnership with CTIA”

Factories are no longer the sure route to prosperity. Here’s why

State aid: Commission approves €1.4 billion Swedish scheme to support uncovered fixed costs of companies affected by coronavirus outbreak

More countries are making progress on corruption – but there’s much to be done, says a new report

Vote at 16 in Malta: next stop Europe

The digital building blocks of better communities

State aid: Commission approves €300 million public support for the development of ultrafast broadband network in Greece

A Sting Exclusive: “Without climate, forget about peace!”, Swedish MEP Bodil Valero cautions from Brussels

Young people are Europe’s biggest value and hope

Weather reports could soon be telling us about the role of climate change

Use space technology to build a better world for all, urges UN chief

EU joint response to disasters: deal reached with Council

Africa is launching the world’s largest free trade area – but these are the stumbling blocks

More Stings?

Advertising

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s