Digital supply chain security refers to efforts to enhance

cyber security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and networks from thr ...

within the

supply chain A supply chain is a complex logistics system that consists of facilities that convert raw materials into finished products and distribute them to end consumers or end customers, while supply chain management deals with the flow of goods in distri ...

. It is a subset of

supply chain security __NOTOC__ Supply chain security (also "supply-chain security") activities aim to enhance the security of the supply chain or value chain, the transport and logistics systems for the world's cargo and to "facilitate legitimate trade".Government ...

and is focused on the management of

requirements for information technology systems,

software Software consists of computer programs that instruct the Execution (computing), execution of a computer. Software also includes design documents and specifications. The history of software is closely tied to the development of digital comput ...

and

networks Network, networking and networked may refer to: Science and technology * Network theory, the study of graphs as a representation of relations between discrete objects * Network science, an academic field that studies complex networks Mathematics ...

, which are driven by threats such as

cyber-terrorism Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, the loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation. Emerging alongside t ...

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

data theft Data theft is the unauthorized duplication or deletion of an organization's electronic information. Data theft is a growing phenomenon primarily caused by system administrators and office workers with access to technology such as database server ...

and the

advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a State (polity), state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the ...

(APT). Typical supply chain cyber security activities for minimizing risks include buying only from trusted vendors, disconnecting critical machines from outside networks, and educating users on the threats and protective measures they can take. The acting deputy undersecretary for the National Protection and Programs Directorate for the

United States Department of Homeland Security The United States Department of Homeland Security (DHS) is the U.S. United States federal executive departments, federal executive department responsible for public security, roughly comparable to the Interior minister, interior, Home Secretary ...

, Greg Schaffer, stated at a hearing that he is aware that there are instances where malware has been found on imported electronic and computer devices sold within the United States.

Examples of supply chain cyber security threats

*Network or computer hardware that is delivered with malware installed on it already. *

Malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

that is inserted into software or hardware (by various means) * Vulnerabilities in software applications and networks within the

that are discovered by malicious

hackers A hacker is a person skilled in information technology who achieves goals and solves problems by non-standard means. The term has become associated in popular culture with a security hackersomeone with knowledge of bugs or exploits to break ...

* Counterfeit computer hardware

Related U.S. government efforts

Comprehensive National Cyber Initiative
* Defense Procurement Regulations: Noted in section 806 of the

National Defense Authorization Act The National Defense Authorization Act (NDAA) is any of a series of United States federal laws specifying the annual budget and expenditures of the U.S. Department of Defense. The first NDAA was passed in 1961. The U.S. Congress oversees the de ...

International Strategy for Cyberspace
White House lays out for the first time the U.S.’s vision for a secure and open Internet. The strategy outlines three main themes: diplomacy, development and defense. :* ''Diplomacy'': The strategy sets out to “promote an open, interoperable, secure and reliable information and communication infrastructure” by establishing norms of acceptable state behavior built through consensus among nations. :* ''Development'': Through this strategy the government seeks to “facilitate cybersecurity capacity-building abroad, bilaterally and through multilateral organizations.” The objective is to protect the global IT infrastructure and to build closer international partnerships to sustain open and secure networks. :* ''Defense'': The strategy calls out that the government “will ensure that the risks associated with attacking or exploiting our networks vastly outweigh the potential benefits” and calls for all nations to investigate, apprehend and prosecute criminals and non-state actors who intrude and disrupt network systems.

Related government efforts around the world

Common Criteria The Common Criteria for Information Technology Security Evaluation (referred to as Common Criteria or CC) is an international standard (International Organization for Standardization, ISO/International Electrotechnical Commission, IEC 15408) for co ...

offers with

Evaluation Assurance Level The Evaluation Assurance Level (EAL1 through EAL7) of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance ...

(EAL) 4 an opportunity to evaluate all relevant aspects of the digital supply chain security like the product, the development environment, IT systems security, the processes in human resource, physical security and with the module ALC_FLR.3 (Systematic Flaw Remediation) also security update processes and methods even by physical site visits. EAL 4 is mutually recognized in countries that signed the SOGIS-MRA and up to ELA 2 in countries the signed the CCRA but including ALC_FRL.3. * Russia: Russia has had non-disclosed functionality certification requirements for several years and has recently initiated the National Software Platform effort based on open-source software. This reflects the apparent desire for national autonomy, reducing dependence on foreign suppliers. * India: Recognition of supply chain risk in its draft National Cybersecurity Strategy. Rather than targeting specific products for exclusion, it is considering Indigenous Innovation policies, giving preferences to domestic ITC suppliers in order to create a robust, globally competitive national presence in the sector. * China: Deriving from goals in the 11th Five Year Plan (2006–2010), China introduced and pursued a mix of security-focused and aggressive Indigenous Innovation policies. China is requiring an indigenous innovation product catalog be used for its government procurement and implementing a Multi-level Protection Scheme (MLPS) which requires (among other things) product developers and manufacturers to be Chinese citizens or legal persons, and product core technology and key components must have independent Chinese or indigenous intellectual property rights.

Private sector efforts

SLSA (Supply-chain Levels for Software Artifacts)
is an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain. The requirements are inspired by Google’s internal
Binary Authorization for Borg
that has been in use for the past 8+ years and that is mandatory for all of Google's production workloads. The goal of SLSA is to improve the state of the industry, particularly open source, to defend against the most pressing integrity threats. With SLSA, consumers can make informed choices about the security posture of the software they consume.

Other references

Financial Sector Information Sharing and Analysis Center

International Strategy for Cyberspace
(from the White House)
NSTIC

SafeCode Whitepaper

Trusted Technology Forum and the Open Trusted Technology Provider Standard (O-TTPS)

Cyber Supply Chain Security Solution

Malware Implants in Firmware

Supply Chain in the Software Era

INFORMATION AND COMMUNICATIONS TECHNOLOGY SUPPLY CHAIN RISK MANAGEMENT TASK FORCE: INTERIM REPORT

References

{{DEFAULTSORT:Supply Chain Cyber Security Supply chain management Computer security