Collaboration between stakeholders needed to ensure supply chain security

A collaborative effort from both upstream and downstream stakeholders in the industry is necessary to ensure supply chain security, said Sean Yang, Huawei’s Global Cyber Security and Privacy Officer. 

He was speaking at GovWare 2023, where he delivered a keynote presentation titled “Enhancing Supply Chain Security in the New Digital Reality”, during which he pointed out the significant threats to supply chain security posed by increasingly frequent and severe cyber attacks. 

 
“To address these risks and challenges, companies will need to effectively build security into products, and to focus on supplier management, open-source software management, and R&D and production management,” he said. 

Software supply chain attacks on the rise  

At an awards ceremony last week, Huawei International CEO Foo Fang Yong called the strengthening of cyber readiness and cyber safety for Singapore’s critical information infrastructure “a collective responsibility”. 

Yang reiterated this view in his presentation, saying that cybersecurity and privacy protection “are a shared social responsibility of all information and communications technology (ICT) solution providers and stakeholders.” 

He noted that with the globalisation of the supply chain, software and hardware products have become increasingly large and complex. Hence, strengthening the security of supply chains is a very important part of ensuring the development of the digital economy. 

In the past two decades, network security attacks targeting software supply chains have grown in severity, with the 2020 SolarWinds hack a prominent example.  

The hack occurred after the platform release environment of the SolarWinds network management software was intruded upon, leading to the source code of a component tampered with and backdoor code added. 

It is increasingly common that criminals would utilise software supply chain attacks as a method to obtain business information illegally, said Yang. According to research firm Gartner, 45 per cent of enterprises will be exposed to such supply chain attacks by 2025. 

Vulnerability management crucial to supply chain security  

In order to manage supply chain security well, enterprises need to manage the security of product components from three different sources: from third-party suppliers, from open-source avenues, and from production and research and development. 

Effective vulnerability management, Yang said, represents a crucial control of supply chain security.  

Companies need to effectively manage their upstream sources, ensure product security through secure development practices and continuous lifecycle security, and provide excellent service to their downstream customers or tenants, he added.  

Sharing Huawei’s vulnerability management framework and best practices, as described in a 2023 white paper, Yang highlighted the need to improve suppliers’ security management capabilities, as the security status of their components would have an impact on one’s own security level. 

Meanwhile, when it comes to open-source components, which now play a fundamental role in ICT software infrastructure, reliance on open source is steadily increasing, to the point where “poisoning” of open-source software can lead to vulnerabilities ranging from mild to very high-risk. 

According to a report by Synopsys, 84 per cent of the 1,703 code inventory reviewed in 2022 contained at least one open-source vulnerability. 

In the face of this, Yang recommends appointing an open-source software management team to enforce rules and processes to govern open-source software sourcing, lifecycle management, open-source maintenance and product integrated development, and vulnerability management. 

And for self-developed components, he said that R&D and production management are needed.  

“You need to adopt a product security development process to build secure and reliable high-quality products,” he said, adding that vulnerability management calls for enterprises to manage the upstream, to do “your own job” well, before going on to serve the downstream well. 

Referring to the white paper, Yang said it highlighted a multi-step vulnerability management process that helps customers mitigate risk, and which involves collaborating with upstream and downstream to comply with vulnerability disclosure principles. 

As highlighted in the white paper, Huawei’s Conceptual Architecture for Vulnerability Management is underpinned by five principles that guide seven key stages, which inform four key management practices. 

Collaborating with stakeholders 

Concluding his presentation, Yang pledged that Huawei would continue to contribute both capabilities and governance best practices to the industry, and collaborate with stakeholders with openness and transparency to build a secure ecosystem towards heightened supply chain security. 

Currently, Huawei partners with various stakeholders in technical innovation, standards formulation, certification, and management improvements, and shares experiences to jointly build a security ecosystem, and thus protect security and privacy in the digital world. 

For instance, to cultivate more ICT and security talents, Huawei has just signed a memorandum of understanding with the Association of Information Security Professionals (AiSP). 

This collaboration includes supporting AiSP’s community outreach initiatives and providing online training resources to at least 80 AiSP members each year in 2024 and 2025; these members can go on to achieve leading industry certifications such as the Qualified Information Security Associate (QISA) and the Qualified Information Security Professional (QISP). 

Huawei has also joined more than 10 international and Chinese standards organisations, developed more than 100 security and privacy standards, contributed nearly 300 cybersecurity proposals in 2022, and obtained more than 400 third-party certifications. 

“As technologies and attack tactics continue to evolve, it is imperative to constantly adapt and enhance vulnerability management capabilities.  

“We are happy to share our experiences and lessons learned with all external stakeholders, including customers, suppliers, and security researchers, and to work together to jointly mitigate attacks and risks caused by vulnerabilities on a live network,” Yang said.