Serg Nvns - Fotolia
Organisations and their partners need to do more to address security in the supply chain, according to a new report from Huawei.
The Chinese telecoms and networking giant released the report to coincide with the Information Security Forum (ISF), currently being held in Berlin. Huawei said that too many companies were only focusing on internal policies and vulnerabilities, rather than the supply chain threat landscape.
“At present, organizations are less likely to think about risk from suppliers and third-party providers and more likely to think of risk from the perspective of a user or operator of a network or ICT system,” the report stated.
The fear is, according to Huawei, that hostile actors might insert malicious functions or counterfeit elements or components into the global ICT supply chain, which could later be used to disrupt or degrade systems.
“This presents a challenge for governments and businesses which, at a minimum, require recognition that supply chain risk is a shared problem that necessitates cooperation among stakeholders to find solutions founded on standards and best practices and work to implement them,” the report continued.
Huawei pointed to a number of initiatives and standards designed to promote supply-chain best practices. These included the Software Assurance Forum for Excellence in Code (SAFECode), a global, industry-led non-profit, as well as the Open Trusted Technology Provider Standard, designed to help organizations address risks related to supply chain security, third-party providers, and product integrity
Ultimately, Huwaei said that in order to minimise supply-chain risk, there needed to be a greater emphasis placed on industry-wide collaboration.
We need to work collaboratively to make the buyers of ICT more informed about what they should consider using as security requirements for their purchasing, make them more consistent in the use of such requirements, and make them more organized in working with like-minded buyers to strengthen and leverage their purchasing power to drive the availability and use of more secure ICT products and services, as well as to facilitate accountability for those who fall short,” concluded the report.