U.S.-China relations are frayed and show no signs of improving anytime soon. The interdependent global supply chain for technology is at risk. What can be done to stabilize the situation and seek common ground?
One step in the right direction would be to put a lid on “tech nationalism,” a term defined by the EastWest Institute (EWI) as a market-distorting preference for technology produced by companies headquartered domestically or in allied states.
The EWI report notes that tech nationalism in the telecommunications space erodes competition, leading to higher prices, reduced innovation and less resilient networks. Left unchecked, it can hinder the global development of information and communications technology (ICT) and reduce the attendant benefits that are, or will be, delivered by 5G-enabled technologies.
Importantly, the report provides a framework for mitigating telecommunications cyber risk. It provides a good starting point for making network technology more transparent and more secure. One of the key aspects of the framework is to leverage the power of market forces to drive suppliers to raise the bar on assurance and transparency, as a complement to regulation.
Here are three steps we can take to help make that happen:
First, reorient procurement processes to more effectively account for cyber risk. Companies that buy ICT products and services should gather expert input on cybersecurity best practices to strengthen the quality of the risk components of procurement requirements to better assess and address supply chain risk — from government authorities, industry associations, public-private information-sharing organizations and other private-sector experts. In collaboration with their industry peers, they should then incorporate those practices into their procurement processes to get maximum leverage from their purchasing power, thereby increasing the incentive for suppliers of ICT products and services to raise the bar on cybersecurity assurance and transparency by linking them more directly to sales.
Companies and organizations in the same basic industry sector can lead this effort with support from the government; in Europe, ENISA, the European Network Information Security Agency, can play an important role. In the U.S., the FCC Advisory Group CSRIC (Communications Security, Reliability and Interoperability Council) is well-positioned to build on its work in recent years regarding telecommunications risk and play a major role.
Second, urge ICT buyers to call on vendors, mobile operators and other stakeholders to create momentum toward developing minimum industry best practices for assurance and transparency for telecom equipment suppliers. Self-attestation by vendors and product testing by buyers, two of the more common methodologies used today, provide some measure of assurance. But if all major telecom equipment vendors could be called on to develop and follow a minimum set of such requirements for that industry sector, this could encourage more open competition among suppliers to increase assurance and transparency, while opening up a clearer path for buyers of ICT to include such requirements in the contracts they sign with their suppliers. This would create a much greater degree of transparency than what currently exists.
Governments can influence such requirements in their capacity as regulators. For example, the U.S. Department of Defense is rolling out a Cybersecurity Maturity Model Certification (CMMC) that will require ICT providers and their suppliers “to enhance the protection of controlled unclassified information (CUI) within the supply chain” and “reduce risk against a specific set of cyber threats.”
Additional documentation from suppliers could include a software bill of materials (sBOM). An sBOM lists all of the open-source, third-party, and proprietary components in a hardware or software product, providing greater visibility into the numerous components that go into such products. Sharing this data would allow ICT buyers to more easily pinpoint vulnerabilities and work with suppliers to mitigate them. An sBOM would also make it easier to trace back to the supplier of that component. Along with private industry, the U.S. National Telecommunications and Information Administration (NTIA, part of the US Department of Commerce) is coordinating an initiative to develop best practices leveraging the sBOM concept as part of the NTIA Software Component Transparency initiative.
Third, we can launch an assurance and transparency initiative led by the world’s major telecom equipment makers — an idea quite similar to one I have been thinking about for a long time.
Led by the buyers of ICT and other stakeholders, the initiative could involve a call to action to the world’s major manufacturers of telecommunications equipment for greater assurance and transparency. The conveners, perhaps led by a trusted independent organization such as the Center for Internet Security, could ask the equipment manufacturers to hold in-depth consultations with cybersecurity experts from the government and the private sector. These meetings could let the experts ask probing questions of the equipment vendors about what they were doing to provide product assurance and address supply chain risk, and what methods they are using to provide transparency about their practices. The talks could also provide insight into how products were being engineered to minimize vulnerabilities and what is being done to make software engineering processes consistent with best practices.
The initiative could build on concepts underlying the high-assurance requirements for hardware and software in the DoD Trusted Foundry Program, which enables the independent expert review of private company processes and technologies. U.S. technical experts could be invited to visit equipment makers’ factories and other facilities to observe the conditions around the manufacturing and assembly of key components, evaluate the quality of software engineering and supply chain risk management, and make recommendations on how to provide greater assurance and inject more transparency into the life cycle of the products, including perhaps a role for third-party technology within a company’s facilities. Recognized regional testing centers could contribute substantially to raising assurance in risk environments that do not need the highest level of assurance necessary for products that are made in trusted foundries.
Implemented consistently, the steps outlined above could remove the need for protectionist measures and start to overcome the trust gap between technology buyers, vendors and operators—and their respective governments. The issues are important enough to be worth discussing.