On 15 April, teissTalk host Geoff White was joined by a panel of four cyber security experts to discuss keeping supply chains cyber secure and resilient.
How mature is the cyber security thinking of policy makers in the UK?
There is a definite maturing. It’s not an even covering across the board. But because our economy is increasingly dependent on the internet, policymakers need to engage with this issue.
The pandemic has played its part in this. Now everyone has to rely on technology to keep their personal and professional lives going. In the past perhaps we failed to recognise how important it was. But despite sometimes inadequate infrastructure, the internet has shown its strength in meeting the changed and increased demands made on it.
There are policy challenges at the moment. China is a technology superpower that doesn’t share the same values that the UK does. However, we need to engage with them and find ways of collaborating on security technology, while at the same time taking a strong line of national security and human rights. Perhaps it is going to be hard to co-exist with them, but containment won’t work so we need to look for positive responses that build on our strengths of education and innovation.
Take the issue of Huawei. People felt that using its technology represented a security risk it because it was a Chinese company. But when security experts examined its technology, they felt that the real threat was from poor quality coding which would allow hackers to build back doors. And with such pressures on rapid development there is a tendency to avoid security by design which is going to make poor coding practices more likely. This is a feature of all technology markets that has still to be addressed.
How far does a security compliance mindset protect organisations?
“Trust but verify” is a very common saying in security. In the past, many people have relied on certified policies and check-box compliance. Now people want to go a little deeper – they want to verify as well as trust.
Companies often rely on auditing firms to report on products and their safety. And that’s critical. Rather than saying “Trust but verify” it could be better to simply say “Don’t trust”! There is a need to verify everything.
Certifications can give you an idea about where an organisation is on the security journey. But it’s far more helpful when organisations share their strengths and weaknesses with you. For instance if they share their penetration reports with you it’s possible to work with them to create a more secure service. You have to request evidence where you can. A certification will never be enough. The difficulty is that following up on this is time consuming.
Some organisations will even let their customers run penetration testing on them. This is a very good sign. However, many companies can’t say yes to a request to do this, perhaps because they can’t segregate the data of other clients. So this shouldn’t be an absolute requirement, unless you are happy to restrict the number of suppliers you can use. And if you do run penetration testing against a supplier then it’s important to be open and supportive rather than over critical.
How can we assess the security of supply chains?
We have seen with the Solar Winds attack that some companies that would fly through any supplier check based on nationality and size are in fact vulnerable. Dependencies on particular suppliers can emerge after an incident: there is never anything that is 100% secure. Instead we need to more towards resilience and avoid pointless prejudices against, for instance, suppliers who have a particular nationality.
It’s hard for any company to insist that suppliers are at a particular level of security, and just as hard to spare the resources to evaluate whether they are at a particular level. Certifications are a good way of providing evidence of security efficiently. If a supplier offers you the results of a pen test, then there needs to be a good deal of work done analysing the results and then working with that supplier to fix any problems. That’s expensive.
Security has changed both for vendors and users. It’s gone from a prevention mindset to a reactive mindset – how to respond to the inevitably of being breached. Asking “What did you do to prevent a breach?” is the wrong mindset. The better question to ask is “What would you do if you were breached?” Increasingly the policy emphasis is on resilience and the ability to recover.
Journal of Cyber Policy
Head of Information Security
EF Education First
Global Head of Cyber
HFW – Law Firm
GM Global Security Programs