Op-Ed: Pioneering an Australian high-risk vendor strategy

Over the last year, we have seen governments around the world increasingly concerned by the risks posed by information and communication technology (ICT) hardware and software vendors embedded across their organisations.

Earlier this year, various Australian federal government departments instituted restrictions on WeChat in response to rising privacy, foreign interference, and cyber security concerns. This announcement followed the ban of TikTok on federal government devices. Echoing these same security and privacy concerns, the United States recently issued directives that would limit the sale and transfer of bulk personal data to countries of concern like China, and another that would examine the national security risks associated with connected cars that contained components made in China.

Recognising the threats posed by potential high-risk ICT vendors, Australia committed in its 2023–30 Cyber Security Strategy to developing a framework for assessing the national security risk presented by vendor products and services entering and operating within the Australian economy. In a highly connected global technology landscape where concerns about foreign actors accessing critical and sensitive information are intensifying, these efforts are welcome.

However, for Australia to effectively identify and mitigate potential risks posed by any vendor to our national interests, the Australian government should shift from a reactive “whack-a-mole” approach that primarily considers vendor headquarters to a proactive strategy that comprehensively assesses supply chain risks associated with all ICT hardware and software vendors.

Unpacking Australia’s ICT vendor supply chain risks

Today, all organisations are highly dependent on an increasingly complex and interwoven tapestry of ICT hardware and software vendors. While this provides a variety of business benefits, it also comes with added security risks, as just one compromised or insecure ICT vendor can unravel the most fortified defences.

Take software for example. Software has spread to almost every aspect of our lives – from our watches to our combat aircraft – and nearly every organisation relies on software to operate. No longer confined to our laptops or computers, software now controls the operations of power plants, medical devices, cars and much of our national security and defence platforms.

However, software can raise significant security concerns for various reasons. One of these concerns arises when the software is provided and maintained by a vendor located in a jurisdiction where they could be subject to extrajudicial directives from a foreign government (such as a requirement or mandate to weaponise the software in the national interest). Another concern is the software provider’s adherence to secure coding practices, as inadequate practices may render the software more susceptible to vulnerabilities. Additionally, there may be instances where software providers have disclosed their source code to foreign governments as a prerequisite for market access, potentially increasing the software’s vulnerability to exploitation.

VIEW ALL

In an era where ICT is the backbone of national and economic security, as well as social prosperity, the need to prioritise vendor supply chain security cannot be overstated.

Strengthening vendor ICT supply chain security: A call to action

As Australia looks to develop a high-risk vendor framework under its 2023-30 Cyber Security Strategy, it is imperative that we look to uplift, strengthen, and increase our collective visibility into vendor supply chain security practices to enhance our national security posture and resilience. This could be achieved in five keyways:

1. Establish dedicated government resources: Currently, there is no federal government agency responsible for conducting comprehensive assessments of vendors’ ICT supply chain practices, either on behalf of the government or for the public’s benefit. A dedicated government resource focused on vendor supply chain security would ensure the development of policies, structures, and processes to provide advice on high-risk supply chain security issues and to prevent high-risk vendors from embedding themselves within government and critical infrastructure facilities and networks.
2. Create a public list of high-risk products and vendors: Developing and maintaining a public list of high-risk technology products or vendors would facilitate risk-based decisions by public and private organisations, including federal, state, and territory agencies and critical infrastructure stakeholders, and avoid embedding certain risky technology products and services in their environments. Similar to the US Federal Communications Commission’s (FCC) list, this public resource can guide organisations and warn against procuring from high-risk vendors.
3. Disclosure of unique source code: The Australian government should establish a list of vendors that have disclosed their unique source code to foreign nations. Increasingly, countries are requiring source code disclosure as a condition for selling technology in their markets. The Australian government should assess whether technology and security companies it engages with have shared their source code with foreign governments, as this poses potential security risks to their organisations. Creating a list of such companies will aid government agencies in making informed, risk-based technology procurement decisions.
4. Update procurement rules: The Australian government may wish to revise the Commonwealth Procurement Rules and other key procurement policies to explicitly reference both cyber security and supply chain security considerations. This update should ensure that ICT procurements adhere to rigorous security standards. Governments should consider whether organisations place a strong emphasis on end-to-end risk management, including identifying and addressing supply chain risks throughout the product life cycle; whether a vendor actively manages suppliers, considers geopolitical factors for security decisions, engages in public-private partnerships to enhance supply chain security, and has strong executive management buy-in to ensure effective coordination across corporate functions for supply chain risk management.
5. Regular vendor practices review: Establish practices and procedures for regular reviews of key vendor practices, including their software supply chain management. Collaborate with vendors of critical software to establish risk-based principles and potential changes to their software development practices. Additionally, develop a process for the removal of software from government environments when necessary.

As we continue to rely on ICT for our national and economic well-being, strengthening ICT supply chain security is paramount. By taking these proactive steps, the Australian government can safeguard its critical infrastructure, protect national security, and ensure the integrity of its digital ecosystem. In an era where cyber threats are constantly evolving, securing the supply chain of our ICT vendors is not just a choice, it is an imperative for the safety and prosperity of our nation.

The backbone of a resilient and trust-based global economy

As Australia sets its sights on becoming the most cyber-secure nation in the world by 2030, ensuring critical infrastructure, systems, and information are cyber-secure continues to be a challenge. But it is one with a solution, as developing a comprehensive high-risk vendor strategy with a strong focus on ICT supply chain practices can provide a crucial foundation for anticipating threats and protecting national interests throughout the value chain.

By ensuring the integrity, confidentiality, and availability of goods and services throughout our digitised world, we can mitigate risks, protect sensitive information, and safeguard the interests of businesses, consumers, and the nation.

Sarah Sloan is head of government affairs and public policy, Australia New Zealand and Indonesia, at Palo Alto Networks