Last week the White House released its National Strategy for Global Supply Chain Security fact sheet. I found this to be a very important step forward in addressing one of the most complex challenges facing the United States, as well as, governments around the world. The strategy identifies twin goals that are intended to promote efficient and secure movement of goods and to foster a resilient supply chain. While this strategy is not specifically focused on managing the risk related to the information and communications technology supply chain, there are important elements here that guide future policy decisions. The first goal is to promote the timely and efficient flow of legitimate commerce while protecting and securing the supply chain from exploitation and reducing its vulnerability to disruption. The second goal is to foster a global supply chain system that is prepared for and can withstand evolving threats and hazards and that can recover rapidly from disruptions. The Strategy includes these guiding principles:
· To Galvanize Action – Integrate and spur efforts across the United States Government, as well as with State, local, tribal and territorial governments, the private sector, and the international community.
· To Manage Supply Chain Risk – Identify, assess, and prioritize efforts to manage risk by utilizing layered defenses and adapting its security posture according to the changing security and operational environment.
At Microsoft, we welcome the opportunity to provide input on advancing supply chain risk management practices, particularly as it relates to Information and Communications Technology. Like land, sea and air – protecting the cyber supply chain is a topic that is important to governments around the world and one for which we outlined a set of key principles in our blog on Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust. Those principles must be risk based, transparent, flexible and reciprocal:
· Risk-based– To be effective, supply chain efforts cannot be rooted in simplistic presumptions of untrustworthiness based on national origin or some other identifiable factor. Rather, the complexity of components and sourcing for ICT products requires that supply chain risk be managed regardless of where the product is designed, developed, deployed, operated, or maintained, and preferably utilizing collaboratively developed standards.
· Transparent– Supply chain risk management frameworks must also promote transparency by all parties. In particular, vendors must recognize that adequately addressing governments’ concerns will require some degree of transparency into their business processes and supply chain security controls.
· Flexible– Frameworks for addressing supply chain risk must recognize that governments face unique threats, vendors have different business models and market challenges, and threat models may need to change rapidly to respond to changes in technology.
· Reciprocal–Just as trade relationships are based upon the idea that opening markets in reciprocal ways can create trading opportunities between participating countries, it must be recognized that closing markets based upon supply chain concerns will lead to similar “reciprocal” behaviors, potentially balkanizing the Internet and denying people everywhere the benefit of the highly innovative low-cost products that only a global supply chain can produce. The collaborative development of international standards, reciprocal by their very nature, will serve to reduce government concerns about the security of the supply chain, and provide less incentive to the enactment of trade barriers in the name of national security.
Over the next several months, we look forward to working with the government agencies to refine our common understanding of global supply chain threats and risks – not just across air, land, and sea but also in cyberspace — and seeking pathways for global standards around supply chain security in a way that is commercially reasonable and respects intellectual property.