policy and potentially mandate could direct departments to only accredited service options, where for example, the data transfer and hosting remains within a trusted UK domain. compromised data centre greater than the threat of data loss/leakage through an exfiltration hack initiated through intentional corruption built into the software or hardware? We certainly worry about the former sufficiently to act upon it (e.g. G-Cloud UK Safe Harbour), so why not the latter? Is it just too hard, expensive, or overwhelming to begin to think about? Or do we simply worry less? automated factory production process would contaminate a huge quantity of devices shipped to many separate locations all over the world. This type of attack would surely be out of reach of the criminal fraternity, whereby their intent and subsequent targets would be far too defined and specific to attack effectively in this way. Threats of these attacks would therefore be restricted to state sponsored objectives, and can then be, to an extent, predicted by current global and political intelligence. or a semi-conductor foundry for example, would be very difficult and expensive. Plus, the further upstream in the supply chain you infiltrate, the more difficult it would become to home in on any specific targets. set of circumstances for the analogue and corporeal supply chain as we do that of the digital in respect to the G-Cloud model? I acknowledge this would be extremely difficult and the costs would be eye-watering, but if we really worry about the threats of adopting a global supply chain (after all, over 50% of chip production revenue originates in China), then is this worth considering? At the very least, is this worth considering for specific acquisitions made by our High Threat Club for instance? Trusted Foundry Programme, creating an assured supply chain including 50 accredited suppliers for DOD or DOD-sponsored critical requirements. (though not chip design vulnerabilities) but it is expensive and restricted to only the most critical defence requirements. The vast majority of Federal and Infrastructure capability remains at the mercy of the global supply chain, and for economic reasons alone, will no doubt continue to be so for the foreseeable future. customers could use? This would be a cyber-equivalent of how we treat the movement of animals across continents. These quarantine areas could use technology currently available, or develop new capabilities that conduct deep inspection activities testing for intentional hardware and software corruption, or use techniques to prematurely trigger payloads that contaminated products may host. This would clearly delay shipments, however if we believe the threat to be real then is it worth investing in this type of quarantine system or clearing house for IT imports? series of questions, notably: · If not, what are we doing to the gather that evidence? · What can we actually do to mitigate any risks based upon any evidence we have determined that they do exist)? supply chain contamination? risk factors. instance, equate to: antagonistic nations on these subjects, whilst attempting to gather evidence that supply chain threats exist. also constitute an emergency supply chain for our critical functions. This would in turn mitigate threats to availability, e.g. in the wake of major natural disasters like the recent floods in Thailand. overcome; however this activity could for instance be outsourced to trusted, specialist, and local SME's who could usefully take up some of the burden. accept and acknowledge a residual risk of supply chain contamination, and move onto to the next problem. localised all at the same time, and it's certainly not an exhaustive list but we do need to do something other than continuing to proffer doom. We need to break the inertia that this attitude has developed. There is just no value or utility in rehearsing the problem space, and continuing to perpetuate fear, uncertainly and doubt. exist, but what is the actual risk? And whilst I can agree that the problems will persist, and in many respects we face insurmountable challenges in regard to the complete safety of a global supply chain, there must be immediate opportunities to improve the situation and at least mitigate and reduce the risks of supply chain contamination as things now stand. into action? Are we waiting for a compelling event? Or are we prepared to implement some mitigation strategies now? issues. In particular, do you think the "Supply chain safety label" idea described earlier actually has value? Your voice literally determines the action that we take in respect to developing this system, as in the spirit of this article we will endeavour to play a positive role in moving the debate forward if this idea is deemed to have genuine utility. Paranoia Society. The person who answered wondered how I got his number.....(sorry). |