June 29, 2022
Head of Supply Chain Security, Checkmarx
Executive Assistant Director, Cybersecurity Division, Cybersecurity and Infrastructure Security Agency
Deputy Director Government Cyber Resilience, National Cyber Security Centre
Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
Christopher D. Roberti
Senior Vice President for Cyber, Space, and National Security Policy, U.S. Chamber of Commerce
Senior Vice President of Cybersecurity, USTelecom
Between the advancement of technology and worldwide disruptions caused by the COVID-19 pandemic, the ICT supply chain ecosystem has proven to be highly vulnerable. The number of cybersecurity attacks has increased over the past few years, and experts are searching for ways to stop this progression before it continues.
During Cyber Week 2022, a conference entitled Securing the ICT Supply Chain from Cybersecurity Threats was held at Tel Aviv University. Government and industry leaders from Israel, the U.S., and other global markets gathered to discuss how the public and private sectors can work together to strengthen supply chains and mitigate cyber risks.
Acknowledging Weak Points and Strengthening Software for the ICT Supply Chain
Tzachi Zornstain, the head of Supply Chain Security at Checkmarx, defined the software supply chain and underscored the problems affecting the current ICT supply chain.
"The [ICT] supply chain is the same parallels as the traditional supply chain," Zornstain explained. "When you look at the traditional supply chain, there is no one weak point that we need to secure. It's a process, and we need to secure the entire process."
He explained how the supply chain could be attacked at any level, meaning each area must be independently secured.
"There is no single point of failure that we need to fix," Zornstain said. "An attacker can attack us at a developer level, at the build level — as we saw with SolarWinds — in open source packages. … So a lot of times, when you have a lot of different attack vectors, we need to prioritize."
Developing Trust in Supply Chain Software and Hardware
Thousands of open-source packages are created each day, which leaves the ICT supply chain vulnerable to cybersecurity threats. Eric Goldstein, the executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), believes mitigating the risks requires prioritization.
"We need to prioritize and take that risk-based prioritization," Goldstein said.
"Taking that same sort of risk-based prioritization and then putting controls and measures in place, starting with the most critical, is really the only way that we're gonna make significant progress to that end," said Ian McCormack, the deputy director of government cyber resilience at the National Cyber Security Centre.
The Threats of Dependencies in the ICT Supply Chain
Observing the microservices that pass data between services, Tim Mackey, the principal security strategist at Synopsys CyRC (Cybersecurity Research Center), described the scale at which companies are relying on dependencies for their applications.
"In some research that we published earlier this year, looking at about 2,400 commercial applications, the average number of dependencies in this — effectively, the average number of suppliers in those 2,400 commercial applications — was 508," Mackey said. "Those are scale problems. Solving for this across the multitude of applications in an organization — that's a scale problem."
He continued, "One of the things that we're advocating for is an understanding of where you have managed an unmanaged risk within the vendor relationship."
Strategically Approaching Supply Chain Cybersecurity Challenges
In the final portion of the event, a group of panelists took a deep dive into the impact the ICT supply chain has had on businesses.
"Even though over 90% of global companies… create a great role in our supply chains and manufacturing, they do not have the resources to invest in cybersecurity," Mihoko Matsubara, the chief cybersecurity strategist for NTT Corporation, Tokyo, said. "This is a huge problem, especially during COVID, because they have less money to invest in manpower and cybersecurity solutions."
To counter these significant supply chain threats, Eric Tamarkin, the director and senior public policy counsel for Samsung Electronics America, discussed national and international policies and programs in place to help organizations.
"From a Samsung perspective… we're collaborating with the industry to develop and implement cybersecurity standards and best practices," Tamarkin said. "We're also adhering to a security development life cycle, as well as our NOx security principles — including securing hardware root of trust — so that when we sell our devices to our customers, we empower them with cybersecurity so that we enhance the security and supply chain security of the entire ecosystem."