Group aims to help secure the technology supply chain
Targeted threats underscore importance of protecting infrastrucure
A working group of government, commercial and academic organizations has
been formed to identify and promote best practices for securing the
global technology supply chain from malicious activity.
The Trusted Technology Forum is a product of the Acquisition
Cybersecurity Initiative sponsored by the Defense Department and
supported by the Open Group, an industry open standards body, to help
define trustworthy acquisition policies and practices.
“We’ve defined a Trusted Technology Provider Framework based on
existing open standards and best practices,” said Andras Szakal,
distinguished engineer at IBM and an Open Group board member. One of the
requirements of the framework is that it be “grounded in reality” and
based on practices already in use by organizations with mature supply
chain security programs, he said.
Supply chain security expands in unclassified community
Software supply chain security is target of industry group best practices
An initial version of the framework has been developed but not
released. The forum’s first product is expected to be a white paper
based on the framework outlining current best practices.
The forum has defined supply a supply chain threat or attack as the
subversion of hardware or software prior to delivery in order to put in a
vulnerability for later exploit.
Technology supply chain security is emerging as an area of concern as
cyber threats become more targeted and sophisticated. Although random
attacks exploiting flaws in software remain a major cybersecurity risk,
stealthy and advanced attacks targeting high-value resources and systems
are becoming more common – or at least now are being discovered.
Several high-profile examples, including the Google Aurora breach
reported early this year and the Stuxnet worm targeting industrial
control systems, exploit zero-day software vulnerabilities that were not
known of before the exploits were discovered. The next step in this
escalation of exploits is the intentional introduction of
vulnerabilities in software and hardware products by insiders in the
The Homeland Security Department, which is charged with overseeing
the security of the nation’s critical infrastructure, has identified 18
Critical Infrastructure and Key Resources (CIKR) sectors that are vital
to the nation’s security and economy:
- Agriculture and food.
- Defense industrial base.
- Health care and public health.
- National monuments and icons.
- Banking and finance
- Designated commercial facilities.
- Critical manufacturing.
- Emergency services.
- Nuclear reactors, materials and waste.
- Information technology.
- Postal and shipping.
- Transportation systems.
- Government facilities.
A recent study by the Enterprise Strategy Group, sponsored by
Hewlett-Packard and Microsoft, two of the forum’s founding members,
concluded that there is a lot of room for improvement by the industries
operating the nation’s critical infrastructure in ensuring that their
supply chains are reliable. “Few organizations are doing thorough due
diligence on their IT vendors’ security, so CIKR firms may be buying
hardware and software with security vulnerabilities ‘baked-in,’” the
“Many critical infrastructure organizations are employing some types
of secure software development programs, but these are often instituted
haphazardly. Finally, CIKR companies are sharing IT systems with
business partner employees and systems, but most lack formal cyber
supply chain governance and oversight. As a result, secure CIKR
organizations are increasing their security risks through electronic
business processes with insecure partners.”
The study described software assurance as a work in progress.
Although many CIKR firms studied by ESG have developer training,
software testing and other safeguard programs, they are not mature or
Another weakness in software assurance is that development training
and software testing focus on vulnerabilities created by errors in
software rather than on intentional flaws that can be carefully crafted
The Acquisition Cybersecurity Initiative began in 2008 to identify
existing best practices to ensure trusted development, manufacture,
delivery and operation of commercial technology products. This would
benefit technology buyers by establishing a mechanism for acquiring
trusted products and would help trusted suppliers by providing a market
A framework defining the characteristics of trustworthy development
could allow streamlining of current overlapping certification and
Although the initial framework has been developed, “there is a lot to
do,” said Josh Brickman, director of program management for CA
Technologies. Standards embodying some of the best practices need to be
developed and conformance metrics are needed identify proper
implementation of standards by vendors.
“We also want to establish an accreditation program for vendors” so
that procurement agencies can have a list of trusted vendors to purchase
from, Brickman said.
Founding members of the Trusted Technology Forum are the Office of
the Under Secretary of Defense for Acquisition, Technology, &
Logistics; NASA; the Carnegie Mellon Software Engineering Institute;
MITRE Corp.; CA Technologies; Cisco Systems; Hewlett-Packard; IBM,
Kingdee International Software Group; Microsoft and Oracle.