The Internet, personal computers, smartphones, software, and online services, play a significant role in our lives. These technologies are among the most important components that make up Information and Communications Technology (ICT) systems. Today governments and their citizens around the world rely on ICT systems to an unprecedented degree. As a consequence, governments are devoting increasing attention to risks that can threaten the security and reliability of these systems, including risks to the supply chains that deliver such systems.
In particular, governments have become increasingly apprehensive about the possibility that a sophisticated, hostile actor could manipulate or sabotage these systems during their design, development or delivery in order to undermine or disrupt government functions. At Microsoft, we recognize the importance of cyber supply chain risk management. Scott Charney, Microsoft’s corporate vice president of Trustworthy Computing, recently delivered a keynote address on this topic at the East-West Institute’s Second Worldwide Cybersecurity Summit in London. He spoke on cyber threats to ICT supply chains, and gave an overview of how certain governments around the world are responding (see figure below). Scott also profiled Microsoft’s practices to ensure supply chain integrity, including Microsoft’s Security Development Lifecycle (SDL).
Global Technology Supply Chain infographic
Today we are publishing two white papers that expand on the principles Scott outlined in his keynote. The first paper outlines the nature of ICT supply chain risk and presents a case for a collaborative framework, rooted in a set of core principles that both address supply chain integrity concerns, and preserve the fruits of global free trade. The second paper develops in greater detail the methodology Microsoft uses to analyze and manage supply chain risks for our own products and services in order to maintain and improve the integrity of our software, and suggests an approach that other organizations may find useful.
The first white paper Cyber Supply Chain Risk Management: Toward a Global Vision of Transparency and Trust presents a set of key principles to enable governments and vendors to manage supply chain risk more effectively, and articulates the need for broad agreement on the following four guiding principles:
· Risk-based – To be effective, supply chain efforts cannot be rooted in simplistic presumptions of untrustworthiness based on national origin or some other identifiable factor. Rather, the complexity of components and sourcing for ICT products requires that supply chain risk be managed regardless of where the product is designed, developed, deployed, operated, or maintained, and preferably utilizing collaboratively developed standards.
· Transparent – Supply chain risk management frameworks must also promote transparency by all parties. In particular, vendors must recognize that adequately addressing governments’ concerns will require some degree of transparency into their business processes and supply chain security controls.
· Flexible – Frameworks for addressing supply chain risk must recognize that governments face unique threats, vendors have different business models and market challenges, and threat models may need to change rapidly to respond to changes in technology.
· Reciprocity –Just as trade relationships are based upon the idea that opening markets in reciprocal ways can create trading opportunities between participating countries, it must be recognized that closing markets based upon supply chain concerns will lead to similar “reciprocal” behaviors, potentially balkanizing the Internet and denying people everywhere the benefit of the highly innovative low-cost products that only a global supply chain can produce. The collaborative development of international standards, reciprocal by their very nature, will serve to reduce government concerns about the security of the supply chain, and provide less incentive to the enactment of trade barriers in the name of national security.
The second paper, Toward A Trusted Supply Chain: A Risk-Based Approach to Managing Software Integrity provides a framework for the pragmatic assessment of Software Integrity risk management practices in the product development process and online services operations. Managing supply chain risk is not a new concept to Microsoft, and the paper outlines our thinking and the practices we have developed inside Microsoft. It describes these practices in the form of a series of discrete, non-proprietary steps an organization can take to identify a reasonable, risk based approach to manage Software Integrity risks.
Software Integrity is a program within Microsoft that is designed to address the risk of intentional tampering with our products or services. The paper discusses a Risk Assessment Methodology (which we refer to in the paper as an “Assessment”) that is used to identify and manage risks during software development, release, and operations. The paper then goes on to describe two approaches to conducting an Assessment – “Standards Correlation” and “Business Process Modeling.” The Standards Correlation approach identifies and builds on relevant, mature standards that may provide controls and practices that serve to mitigate Software Integrity threats. This approach may be preferable (where relevant, mature standards exist) because it tends to be less resource intensive, especially where the organization already conducts relevant standards compliance work that could also be used to address Software Integrity threats. The Business Process Model approach, on the other hand, involves development of a detailed, documented representation of the organization’s process flow. This approach may be preferable where the goal of the Assessment is to identify not only threats and process weaknesses, but also potential process improvements. The paper concludes with a summary of some of the specific controls that Microsoft has found useful for managing Software Integrity risks.
Software development organizations can leverage Microsoft’s experience and use the paper as a guide for assessing Software Integrity risks and implementing commercially reasonable controls in a way that is appropriate for that organization based on its resources and business practices. The Assessment methodology is designed to analyze and devise ways to improve software security and trustworthiness across the people, processes, and technologies that make up any supply chain. Applying it produces distinct benefits such as increased accountability and transparency, which translate into lower risk for both the organization and the software user.