Supply Chain Security - What next for the UK
Supply chain attacks have once again been making the headlines, with recent large scale attacks impacting organisations of all sizes and in all geographies. However, these are not new developments. Security professionals have been warning about the risks to ICT supply chains for years, drawing attention to the risks that supply chain vulnerabilities can pose to organisations. And despite the headlines and the warnings from security professionals, organisations are still not evaluating the risks effectively. According to the Government’s Cyber Security Breaches Survey 2021 published in March, the majority of organisations have not reviewed the risks posed by their immediate suppliers or their wider supply chain – in fact on average only 12% of businesses monitor immediate supplier risks. This is a poor statistic given the potential consequences.
Organisations need to take the risks seriously, however as the Government’s breaches survey suggests, they simply do not know what questions to ask suppliers or what good looks like with regards to their suppliers’ cybersecurity. Government and industry need to help promote better supply chain security practices, which is precisely what we have been doing. Our approach to product integrity was highlighted by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) case study in February 2020, which outlined how Palo Alto Networks uses end-to-end risk management as an example of best practice for supply chain management.
The case study identified several best practices that collectively contribute to the overall supply chain security efforts of Palo Alto Networks. Among them:
An organisational focus on end-to-end risk management. We identify supply chain risks across our entire product lifecycle – design, sourcing, manufacturing, fulfilment and service – and take proactive action to ensure the integrity of our products. Risk assessments are performed early in the product development lifecycle to help determine the feasibility of product design decisions.
Strong supplier management, focused on security requirements as well as establishing collaborative relationships to ensure a complete view of suppliers’ security posture.
Hardware manufacturing and order fulfillment processes that enable us to more easily manage personnel, facility and product security. In fact, we regularly consider geopolitical implications when making decisions to forgo suppliers and manufacturing locations, because it’s simply the right decision for product security.
Active engagement in public-private partnerships designed to increase collaboration between public and private sector organisations and make recommendations for enhancing supply chain security.
Finally, overlaying these practices is executive management buy-in. Supply chain risk management is a team sport spanning operations, product management and other corporate functions. Strong coordination is critical to our success.
In addition to the best practices outlined above, it is important that organisations take steps to control access to their source code and steps to protect the code itself. Dynamic code analysis should be integrated into the development lifecycle to detect any vulnerabilities, and protection should extend to new developer techniques like application containers and infrastructure-as-code.
Governments should support best practices such as these and help organisations to understand the steps they need to take to secure their supply chains. They should also look to incentivise companies that make risk-based decisions to maintain product integrity – such as through qualified procurement preferences. To this end, we welcome that the Department for Digital, Culture, Media & Sports (DCMS) will soon be launching a Call for Views on Supply Chain Cyber Security to better understand what good supply chain cyber risk management looks like. This will inform how the Government can support industry to improve supply chain security practices. We believe responsible companies have a duty to keep secure supply chains and that governments should promote the adoption of best practices like these to foster a resilient ICT ecosystem.