By Andras Szakal
Increasingly, the critical systems of the planet — telecommunications, banking, energy and others — depend on and benefit from the intelligence and interconnectedness enabled by existing and emerging technologies. As evidence, one need only look to the increase in enterprise mobile applications and BYOD strategies to support corporate and government employees.
Whether these systems are trusted by the societies they serve depends in part on whether the technologies incorporated into them are fit for the purpose they are intended to serve. Fit for purpose is manifested in two essential ways: first, does the product meet essential functional requirements; and second, has the product or component been produced by trustworthy provider. Of course, the leaders or owners of these systems have to do their part to achieve security and safety (e.g., to install, use and maintain technology appropriately, and to pay attention to people and process aspects such as insider threats). Cybersecurity considerations must be addressed in a sustainable way from the get-go, by design, and across the whole ecosystem — not after the fact, or in just one sector or another, or in reaction to crisis.
In addressing the broader cybersecurity challenge, however, buyers of mission-critical technology naturally seek reassurance as to the quality and integrity of the products they procure. In our view, the fundamentals of the institutional response to that need are similar to those that have worked in prior eras and in other industries — like food.
For example: Most of us are able to enjoy a meal of stir-fried shrimp and not give a second thought as to whether the shellfish is safe to eat.
Why is that? Because we are the beneficiaries of a system whose workings greatly increase the likelihood — in many parts of the world — that the shellfish served to end consumers is safe and uncontaminated. While tainted technology is not quite the same as tainted foods it’s a useful analogy.
Of course, a very high percentage of the seafood industry is extremely motivated to provide safe and delicious shellfish to the end consumer. So we start with the practical perspective that, much more likely than not in today’s hyper-informed and communicative world, the food supply system will provide reasonably safe and tasty products. Invisible though it may be to most of us, however, this generalized confidence rests on a worldwide system that is built on globally recognized standards and strong public-private collaboration.
This system is necessary because mistakes happen, expectations evolve and — worse — the occasional participant in the food supply chain may take a shortcut in their processing practices. Therefore, some kind of independent oversight and certification has proven useful to assure consumers that what they pay for — their desired size and quality grade and, always, safety — is what they will get. In many countries, close cooperation between industry and government results in industry-led development and implementation of food safety standards.
Government’s role is limited but important. Clearly, government cannot look at and certify every piece of shellfish people buy. So its actions are focused on areas in which it can best contribute: to take action in the event of a reported issue; to help convene industry participants to create and update safety practices; to educate consumers on how to choose and prepare shellfish safely; and to recognize top performers.
Is the system perfect? Of course not. But it works, and supports the most practical and affordable methods of conducting safe and global commerce.
Let’s apply this learning to another sphere: information technology. To wit:
The Trusted Technology Forum (TTF) is a promising and complementary effort in this regard. Facilitated by the Open Group, the TTF is working with governments and industry worldwide to create vendor-neutral open standards and best practices that can be implemented by anyone. Membership continues to grow and includes representation from manufactures world-wide.
Governments and enterprises alike will benefit from TTF’s work. Technology purchasers can use the Open Trusted Technology Provider (OTTP) Standard and OTTP Framework best practice recommendations to guide their strategies. And a wide range of technology vendors can use TTF approaches to build security and integrity into their end-to-end supply chains. The first version of the OTTPS is focused on mitigating the risk of tainted and counterfeit technology components or products. The TTF is currently working a program that will accredit technology providers to the OTTP Standard. We expect to begin pilot testing of the program by the end of 2012.
Don’t misunderstand us: Market leaders like IBM have every incentive to engineer security and quality into our products and services. We continually encourage and support others to do the same. For example: IBM’s Secure Engineering Framework is a comprehensive, multidisciplinary approach used within the company and freely shared externally — including with the TTF. It encompasses quality and security engineering and development as well as supply chain integrity and security.
But we realize that trusted technology — like food safety — can only be achieved if we collaborate with others in industry and in government. That’s why IBM is pleased to be an active member of the Trusted Technology Forum, and looks forward to contributing to its continued success.
Excellent article and the OTTF approach is one that is sorely needed. The US Gov, and particularly the DoD, is caught between a "country of origin" view of a product's trustworthiness and the realities of a global supply chain that, short of something like an OTTF driven process, is unverifiably trustworthy.
I've written a short blog post that you and your readers might find interesting in which I provide an example of this problem and highlight the need for OTTF's work product and process. You can find it here: www.commercebasix.com/wordpress
Stay up to date with the latest news from the Institute for Advanced Security by joining the community, following us on Twitter, and subscribing to the Institute expert blog. We love to share content from our members so please click the pencil icon to submit your content ideas!