As part of Huawei’s cyber security series, this white paper focuses on supply chain risk, introduces the importance for the industry to ensure supply chain security, best practices and Huawei’s approach on it.
This fourth white paper in Huawei's cyber security series focuses on cyber security supply chain risk. Organizations and consumers need to be able to take advantage of the full benefits of information and communications technologies that flow from a truly global supply chain. Supply chain risk management is not just about ensuring that products and services will be there when needed, but it is also about a product lifecycle approach that minimizes the risk that products will be tainted by malicious actors, or that they will be counterfeit or contain counterfeit components that can be exploited for illicit purposes.
Supply chain risk is one part of the risk that an organization must understand and manage in order to be successful. An organization cannot address supply chain risk appropriately without implementing the measures necessary to handle risk across the board. It is a very important part of the journey to a more secure risk posture for individual organizations to recognize and appropriately put into place key mechanisms that can help an organization successfully manage risk.
For an organization to move to a more appropriate, sustainable, and transparent supply chain risk posture requires three things: (1) an understanding of supply chain risk; (2) they need to know how to address the risk; and (3) internal and/or external drivers to take action, and accountability if they fall short.
Those who rely on ICT are slowly coming to realize that supply chain risk can no longer be ignored or its significance minimized. With this growing recognition comes a growing awareness among key cyber stakeholders of their responsibility to move beyond sometimes impassioned discourse to actually making real progress toward addressing supply chain risk in a collaborative, cooperative manner.
For those with at least some understanding of the risk, many struggle with what to do about it, particularly in the face of numerous standards and best practices. There are some activities taking place around the world that can contribute to the effort to address supply chain risk: SAFECode; Underwriters Laboratory; the ENISA report in European supply chain integrity; the EastWest Institute's cyber initiative; in the UK, the efforts of CPNI and the Trustworthy Software Initiative; in China, cyber security and anti-terrorism legislation; in Japan, the governmental efforts to implement a strategy on supply chain risk; and in the United States, initiatives in the energy, defense, and financial sectors to address this issue.
And this white paper provides details about Huawei's approach to supply chain risk, which is part of a larger end-to-end, global assurance program to share details of what we are doing to invite feedback and encourage and facilitate a broader dialogue among stakeholders about how to better address supply chain risk and build greater trust in the global ICT supply chain.
Huawei Cyber Security White Paper (Jun. 2016) (PDF, 1.70MB)