You are on page 1of 11

Securing the Supply Chain for Electronic Equipment

A Strategy and Framework


November 2008

Scott Borg
Director and Chief Economist U.S. Cyber Consequences Unit

Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit. All rights reserved.

Problem: concern about malicious firmware getting into government, military, and critical infrastructure systems
Threat of broad regulations and mandates Threat of onerous provisions in government contracts Threat of terrible damage in certain circumstances from hard-wired logic bombs if nothing is done

Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit

But lets be realistic: limited motives and limited targets for malicious firmware
Nation states installing sleeper, one-use attack tools - Very long term (long preparation time, long lasting) - Hard-to access systems (e.g., highly protected infrastructure, military or intelligence) - Dormant (no regular interaction or operation) - Willing to cause loss of trust in supply chain Criminals seeking to corrupt systems with no software to corrupt (e.g., card readers, automated safety systems)

Hence, a severe, but limited problem


Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 3

Furthermore: multi-national production is competitively necessary


Imposing costly requirements on American companies would limit their ability to compete internationally Protecting less competitive operations is not a sustainable national policy

Preliminary estimates suggest that if the government suddenly demanded stringent supply chain security, many companies would simply stop supplying the government Their Opportunity Costs for supplying the government would become greater than the governments Willingness-to-Pay

Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit

Strategy: solve this customer problem in a way that produces other benefits
Companies face supply chain threats and losses other than hardwired logic bombs: Interruptions of supply increasing costs Quality control problems damaging the brand Loss of sales to counterfeit products Loss of intellectual property undermining future ability to compete Making the supply chain more secure can help with these other threats too The relevant security measures are complementary and need to be applied together to be effective

Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit

Four kinds of business attacks possible at each stage of the supply chain
I. Interrupt the operation II. Corrupt the operation (including inserting malware) III. Discredit the operation (undermining trust, damaging brand value) IV. Undermine the information basis for the operation (loss of control, loss of competitively important information)

Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit

Different remedies for each type of attack


I. Protection against interruption: Continual, mandatory sharing of production across supply chain Maintaining alternative sources II. Protection against insertion of malware: Strict control of environments where key intellectual property is being applied Logical tamper-proof seals Physical tamper-proof seals Effective sealing and tracking of containers III. Protection against undermining trust: Logging of every operation and who is responsible IV. Protection against loss of control of information: Versioning as a tool for protecting intellectual properties

Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit

Different supply chain stages to which the remedies need to be applied (in each branch of production flow tree)
Design Overall product design Detailed product design Creation of production masters Production Production facility design Quality control of production process Quality test verification Distribution Transport of finished product Distribution of finished product Maintenance After-sale maintenance of product
Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit 8

Hence: A Remedies for Stages Grid

REMEDIES

Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit

STAGES

Legal relationships necessary between global component suppliers, assemblers, and the overseeing company
1) Rigorous, unambiguous contracts, delineating the security measures 2) Locally responsible corporations with a long term interest in complying 3) Local ways of overcoming agency problems, motivating executives and workers 4) Adequate provision for verifying that security measures are being properly implemented 5) Local enforcement of agreements at all levels

Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit

10

Thank you!
For more information or permission to use this material in its current form, please contact: Scott Borg U.S. Cyber Consequences Unit P.O. Box 1390 Norwich, VT 05055 scott.borg@usccu.us 802 649 - 3849

Copyright 2008 Scott Borg/U.S. Cyber Consequences Unit

11

You might also like