Canadian Supply Chain Security Landscape
Overview of the Canadian Supply Chain Security Landscape
"I cannot forecast to you the action of Russia. It is a riddle wrapped in a mystery inside an enigma, but perhaps there is a key. That key is Russian national interest." Sir Winston Churchill said this in 1939 regarding what role the Soviet Union might play in World War II. That war is over, and the cold war with the Soviet Union has seemingly transformed into an even colder war with China, and yet I find it a fitting way to begin a piece around Supply Chain Security. Of course, there are several other high risk foreign actors you can add to the list.
In this era of constant complaints around the marketing of fear, uncertainty, and doubt (FUD) in our industry, and after more than two decades of avoiding it everywhere I have worked (in favour of more common-sense approaches), I have finally found the need to market some FUD, even if only to raise awareness.
For many of us with a traditional Enterprise perspective, confronting the numerous risks that emerge when attempting to establish Supply Chain security forces us out of our comfort zone. As I am currently embarked on the security evolution of a Major Capital Project, the number one concern continues to be the Confidentiality, Integrity and Availability (CIA) of the Crown’s information assets. A secondary and related goal is to ensure the Prime Contractor can apply the same tenets down the entire supply chain. Due diligence in these, and many other, segments of security/cybersecurity is noticeably absent from either a legislative, policy, or process perspective when compared to our FVEY partners. If left unsupported, this void can lead to significant security breaches in Canadian Government, Defence, and critical infrastructure.
The international complexity of supply chains, the increase in potential interferences, and emerging cybersecurity risks caused by threats and vulnerabilities of information systems, have dramatically increased the possibility that:
- Process and product quality could be compromised by inadequately monitored suppliers;
- Lower-tier suppliers could intentionally or unintentionally introduce software, firmware, or hardware in which confidentiality, integrity, and availability have been compromised;
- Supply chain disruptions could create a scramble for parts that enables poor quality or counterfeit products to enter the chain;
- High value intellectual property shared with suppliers could be misused, creating unforeseen operational, security or liability risks;
- Service suppliers, including contract manufacturers, outsourced legal and accounting, or repair and maintenance providers, could tamper with a company’s information based on tier access to its information system if the data is not adequately protected; and
- Adversaries could use vulnerabilities of different components within the supply chain to attack the company’s information systems.
Traditionally, the Return on Investment (ROI) on addressing mature assurance of your supply chain would be based on appropriate security policies, controls, and procedures that should be implemented, based on cost-effective risk approaches. This would normally result in monetary and/or productivity savings, better brand protection (vis a vis reduced risk of counterfeit, improved protection of IP, and greater risk intelligence), and a level of compliance capability based on regulatory/legal requirements being met with greater confidence at lower cost. All this would be further demonstrated by protection of shareholder value, customer satisfaction, brand protection, and boosting the bottom line.
However, we are not witnessing that level of maturity from Canadian policy or law makers.
At the time of writing this, the Canadian government agencies responsible for advising on security have been remarkably quiet regarding revelations of an explosive data breach of Texas-based Solarwinds. According to reports, hackers were able to infiltrate an email system used by federal agencies. They were also able to insert malicious code into a software update of the Solarwinds Orion product, which was subsequently downloaded by more than 18,000 customers. The scale of this breach is enormous, yet Solarwinds simply released an advisory with known mitigation steps, and the Canadian Centre for Cyber Security (CCCS) repeated it. No responsible disclosure around whether (or which) government departments may be affected, if any Canadian businesses might also face risks, if any investigative actions have been initiated into the Canadian government supply chain or other vulnerabilities, or if compromises have been enabled through the gateway opened by the SolarWinds breaches.
Why would Canada’s leading agency on cybersecurity be so quiet on the issue? One reason is, and I have been told this personally, that other policy-making departments fear that putting too much security rigour into the supply chain could hurt Canadian small to medium businesses (SMBs) by imposing additional costs. Perhaps this is why we have such a stark security policy, or dare I suggest legislative, perspective on Cybersecurity in this country. It is either that or something completely disconcerting; Canada is just not prepared or capable. Are they missing the argument that the long-term benefits of investing in security in an increasingly digital world will pay dividends vs focusing on the short-term costs of getting started? Certainly, hiding Canadian government breaches is not the long-term strategy?
The powers that be must see that we are at a crossroads. The longer they wait to address these cybersecurity challenges, the higher the risk that Canadian critical infrastructure will be targeted – with more severe outcomes than those of the past.
The federal department of Industry, Science and Economic Development (ISED) has wandered down the advisory path with the evolution of the Canadian Centre for Cyber Security “Top Ten” security actions into a body of work retooled through collaborative efforts of the Standards Council of Canada. In somewhat easy to understand language, it advises Canadians to secure the most common elements of their business and suggests an audit process to ensure you have implemented security measures correctly. Completely voluntary, it is nonetheless incomplete as it does not include the crucial elements of physical security.
Comparing the weak Top Ten advice to the mandatory Cybersecurity Maturity Model Certification (CMMC) requirements of the United States Department of Defense, that are now creeping into Canada for organizations that sell to the US Department of Defense, is like comparing apples and oranges. By way of its legislative approaches and compulsory assurance framework, the U.S. can quantify and react to the tens of billions of dollars lost through malicious software activity. Foundationally built on the National Institute of Science and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF), NIST SP 800-171, other NIST guides, and Carnegie Mellon CERT documents, the CMMC consists of mature processes and cybersecurity best practices to provide structure and alignment to a set of capabilities within each security domain.
Canadian practitioners in the cybersecurity industry know full well how long law makers have been ignoring cybersecurity in this country. A simple reflection of the now 20-year-old body of legislation, standards, policy, guidance, and processes being implemented South of the border, compared to Canada’s smattering of clauses and advice with no consequences, and you will see we fall short. Although Canada can prosecute cybercrime, there is nothing in place to compel Canadian companies, other than the heavily regulated industries, to secure themselves in advance of a potentially devastating breach. Nonetheless, ISED’s work is touted as a good step here in Canada.
By establishing a cybersecurity regulatory framework for conducting business with Government, the payoff will be in increased trade and trust in Canadian products vs regulatory resources wasted on rear view prosecutions.
Why are standardized and regulated processes important? Without these instruments, Canadian businesses, and specifically those selling to the Crown, have no urgent incentive to secure themselves (and, by extension, the people whose data is contained within their databases). Those of us trying to fill those gaps at the project level are attempting to create requirements that raise the proverbial bar – only to be told such measures are too difficult or too expensive to institute, or they become watered down by authorities who do not fully understand the domain, or the depths of its risks.
The body of work to establish the regulatory framework is out there and available for public adoption. It begins with solid systems engineering discipline, established through the systems and software engineering standards of ISO 15288/12207. To properly ensure good security engineering the International Standards should be complemented with the Systems Security Engineering practices found in NIST SP 800-160 Volume 1. These can then be augmented with myriad other coordinated ISOs and NIST guidance that will put you on the path of solid supply chain security.
Starting off by using standards-based procurement instruments, such as Statements of Work and effective Data Item Descriptions (DIDs), can not only ensure that project elements are properly addressing security and cybersecurity but can also create the much-needed dynamics to evolve and fortify supply chains. It is important to reach even the most remote tiers of your supply chain, as they are the most vulnerable. All too often, procurement processes follow decades-old methods that have not evolved as an engineered system of systems and do not address the breadth and depth of your supply chain or its current challenges.
Procurement activities should focus on through-life lifecycle processes detailed in the Agreement family of ISO 15288, and security based on standards such as ISO 27036 and ISO 28000. The ISO 27036 series, Information technology – Security techniques – Information security for supplier relationships, is a multi-part standard that offers guidance on the evaluation and treatment of information risks involved in the acquisition of goods and services from suppliers. The context is business-to-business relationships and information-related products.
ISO 28000, the specification for security management systems for the supply chain, identifies key requirements, including those aspects critical to security assurance of the supply chain. Security management is linked to many other aspects of business management. Aspects include all activities controlled or influenced by organizations that impact supply chain security. These aspects should be considered directly, where and when they have an impact on security management, including transport of goods along the supply chain.
Additionally, the National Institute of Science and Tech has been prolifically addressing supply chain issues through a series of guidance instruments. Notably, I have used NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations; NISTIR 8276 (Draft) Key Practices in Cyber Supply Chain Risk Management: Observations from Industry; and NISTIR 7622 Notional Supply Chain Risk Management Practices for Federal Information Systems. These standards and guides augment the baseline systems engineering lifecycle to build solid requirements for security of the supply chain. In time, they may very well lay the groundwork for the International Standards in this area.
The frameworks and expertise exist. It is hard to argue the benefits to Canadian citizens and industry. From a legislative perspective, adopting standard practices clearly outweighs the effort. And from an ethical perspective, the effort to mitigate a serious breach far outweighs the devastating, long-term damage that can come from being ill-prepared. Would you buy a vehicle to transport your family without the Transport Canada safety marks of certification?
All that remains is the recognition that it makes business sense to provide digital assurance that Canadian physical and digital products are trustworthy in the global market, and the commitment to do something about it.
Peter Hillier, CD, CISSP, served 20 years in the Intelligence and Security areas of the Canadian Armed Forces. He has spent the last two decades dedicated to the evolution of the IT Security profession either through creating new services, writing, speaking, and participating in standards development, and founded Hillier Information Protection Solutions Inc. He also provides Systems Security Engineering services and training at SSEng Group Inc.