IT manufacturers fight cyber espionage risks in the supply chain

Technology companies are collaborating to secure their supply chains from cyber spies and hackers

Technology companies are backing an initiative to reduce the risk of hackers or state-sponsored spies secreting spyware in IT systems sold to government and big business.

Microsoft, HP, Juniper Networks and Cisco are among the companies backing the programme to protect commercial hardware and software from illegal tampering.

The move follows concerns from the US and UK governments that public sector organisations are at greater risk from cyber attacks as they move increasingly from developing their own IT systems to buying commercially available technology.

“There is a degree of concern that someone could tamper with a product, that individual or nation state espionage could occur, or that the network a product is embodied in could be controlled in some fashion,” Edna Conway, chief security strategist at network equipment manufacturer, Cisco told Computer Weekly.

The project, which is being coordinated by industry standards body The Open Group, also aims to reduce the risk that counterfeit components could find their way into commercial off-the-shelf IT systems used by governments and large businesses.

“The ramifications [of a counterfeit component failing] could be anything from a nuclear reactor to a financial trading desk going down,” said Conway.

The group published its Open Trusted Technology Supplier Standard, the first to help organisations secure their global supply chain against the increasing sophistication of cyber security attacks, this week.

It will be followed with an accreditation scheme for IT suppliers that can demonstrate their supply chains and production processes are secure.

Manufacturers will be expected to show they are using the best practice to develop technology securely, to identify potential security vulnerabilities in their products, and to manage potential risks being introduced by their suppliers.

Sally Long, director of the Open Group’s Trusted Technology Forum, told Computer Weekly that there have already been cases of malicious code and counterfeit components finding their way into government systems.

“That is why governments, not just in the US, but around the world, want to protect supply chains,” she said. “And they want to make sure it does not happen again.”

The Open Group plans to start a pilot programme with independent laboratories capable of assessing the security of IT products, with a view to starting the accreditation programme at the end of 2013.

“There will be a pervasive raising of the bar for security consciousness and degree of technology and process security across the supply chain,” said Conway.

The project began in 2010, after the US government approached technology suppliers to encourage them to share best practice in securing the supply chain.

Although kick-started by government, businesses that work in sensitive markets, such as financial services and pharmaceuticals, are also expected to support the accreditation scheme.

“With the increasing sophistication of cyber attacks worldwide, technology buyers at large enterprises and government agencies need guarantees that the products they source come from trusted suppliers," said David Lounsbury, chief technology officer at The Open Group.

Read more on IT for government and public sector