Securing ICT Supply Chains from Cybersecurity Threats

During Cyber Week 2022, global experts gathered at Tel Aviv University to discuss ICT supply chain security, resilience, and integrity and how to mitigate cyber risks.

Air Date: June 29, 2022

Moderator: Christopher D. Roberti, Senior Vice President for Cyber, Intelligence, and Supply Chain Security Policy, U.S. Chamber of Commerce, Robert Mayer, Senior Vice President of Cybersecurity, USTelecom

Featured Guests: Tzachi Zornstain, Head of Supply Chain Security, Checkmarx, Eric Goldstein, Executive Assistant Director, Cybersecurity Division, Cybersecurity and Infrastructure Security Agency, Ian McCormack, Deputy Director Government Cyber Resilience, National Cyber Security Centre, Tim Mackey, Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center), Kathryn Condello, Sr. Director, National Security / Emergency Preparedness, Lumen Technologies, Eric Tamarkin, Director and Senior Public Policy Counsel, Samsung Electronics America, Inc., Yuval Sinay, Head, Active Cyber Defense (ACD) Department, Mihoko Matsubara, Chief Cybersecurity Strategist, NTT Corporation, Tokyo, Joyce Corell, Senior Technology Advisor, Office of the National Cyber Director

Between the advancement of technology and worldwide disruptions caused by the COVID-19 pandemic, the ICT supply chain ecosystem has proven to be highly vulnerable. The number of cybersecurity attacks has increased over the past few years, and experts are searching for ways to stop this progression before it continues.

During Cyber Week 2022, a conference entitled Securing the ICT Supply Chain from Cybersecurity Threats was held at Tel Aviv University. Government and industry leaders from Israel, the U.S., and other global markets gathered to discuss how the public and private sectors can work together to strengthen supply chains and mitigate cyber risks.

Acknowledging Weak Points and Strengthening Software for the ICT Supply Chain

Tzachi Zornstain, the head of Supply Chain Security at Checkmarx, defined the software supply chain and underscored the problems affecting the current ICT supply chain.

"The [ICT] supply chain is the same parallels as the traditional supply chain," Zornstain explained. "When you look at the traditional supply chain, there is no one weak point that we need to secure. It's a process, and we need to secure the entire process."

He explained how the supply chain could be attacked at any level, meaning each area must be independently secured.

"There is no single point of failure that we need to fix," Zornstain said. "An attacker can attack us at a developer level, at the build level — as we saw with SolarWinds — in open source packages. … So a lot of times, when you have a lot of different attack vectors, we need to prioritize."

Developing Trust in Supply Chain Software and Hardware

Thousands of open-source packages are created each day, which leaves the ICT supply chain vulnerable to cybersecurity threats. Eric Goldstein, the executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), believes mitigating the risks requires prioritization.

"We need to prioritize and take that risk-based prioritization," Goldstein said.

"Taking that same sort of risk-based prioritization and then putting controls and measures in place, starting with the most critical, is really the only way that we're gonna make significant progress to that end," said Ian McCormack, the deputy director of government cyber resilience at the National Cyber Security Centre.

The Threats of Dependencies in the ICT Supply Chain

Observing the microservices that pass data between services, Tim Mackey, the principal security strategist at Synopsys CyRC (Cybersecurity Research Center), described the scale at which companies are relying on dependencies for their applications.

"In some research that we published earlier this year, looking at about 2,400 commercial applications, the average number of dependencies in this — effectively, the average number of suppliers in those 2,400 commercial applications — was 508," Mackey said. "Those are scale problems. Solving for this across the multitude of applications in an organization — that's a scale problem."

He continued, "One of the things that we're advocating for is an understanding of where you have managed an unmanaged risk within the vendor relationship."

Strategically Approaching Supply Chain Cybersecurity Challenges

In the final portion of the event, a group of panelists took a deep dive into the impact the ICT supply chain has had on businesses.

"Even though over 90% of global companies… create a great role in our supply chains and manufacturing, they do not have the resources to invest in cybersecurity," Mihoko Matsubara, the chief cybersecurity strategist for NTT Corporation, Tokyo, said. "This is a huge problem, especially during COVID, because they have less money to invest in manpower and cybersecurity solutions."

To counter these significant supply chain threats, Eric Tamarkin, the director and senior public policy counsel for Samsung Electronics America, discussed national and international policies and programs in place to help organizations.

"From a Samsung perspective… we're collaborating with the industry to develop and implement cybersecurity standards and best practices," Tamarkin said. "We're also adhering to a security development life cycle, as well as our NOx security principles — including securing hardware root of trust — so that when we sell our devices to our customers, we empower them with cybersecurity so that we enhance the security and supply chain security of the entire ecosystem."