The term "supply chain" typically evokes a string of parts that are progressively integrated into a final result -- a consumer product -- such as an automobile or computer.
Lately, however, the term has entered the CIO lexicon. IT executives are starting to talk about the “IT supply chain,” meaning the combination of hardware, software, data, and even service providers such as public clouds -- all of which have their own supply chains as well -- that result in today’s sophisticated enterprise IT implementations.
But CIOs are in for a rude awakening about the lack of security in that supply chain, a report warns. In fact, the authors postulate that within three years, an incident in the IT supply chain could end up costing companies millions of dollars.
Counterfeit Goods: Not Just for Accessories
Executives in businesses such as retail, consumer electronics, and manufacturing have always worried about counterfeit goods -- such as these fake Dior, Coach, and Louis Vuitton wares -- and supply chain woes. Now CIOs face similar concerns.
“Living in a World Without Trust: When IT’s Supply Chain Integrity and Online Infrastructure Get Pwned,” written by Gartner analysts Neil MacDonald and Ray Valdes, says the increasing number of links, and the plethora of sources in today’s IT supply chain, make it more vulnerable to attack. (The report is one of a series in what Gartner calls “Maverick Research, designed to spark new, unconventional insights.”)
The US defense and military have stopped short of procuring certain IT products because of security concerns, according to Gartner. An Air Force order for iPads to replace pilot flight manuals was put on hold, for example, due to concern over the encryption used in one of the applications, which came from a Russian company.
Such concerns are becoming more of an issue for corporations as well, the authors say.
“The IT supply chain has become more complex, fine-grained, globally distributed and volatile in the sense that rapid change provides the opportunity to introduce compromises,” says the report. It notes that hardware companies are not only outsourcing manufacturing, but also design, to companies in Asia and India, some of which then turn and outsource parts of the work to places like Vietnam and Indonesia.
And it’s not just hardware. Software has a supply chain that includes various sources for components, middleware, virtual machines, and operating systems, Gartner says. There’s even an information supply chain; data from sources like Google Maps and Twitter is increasingly incorporated into apps and the IT ecosystem.
The authors describe more than half a dozen recent examples of IT supply chain problems, ranging from counterfeit routers to a “backdoor” found in the software of a mobile phone, and include specific recommendations for each on how companies can reduce such risks. (See: Psst! Wanna Buy a Counterfeit Router?).
They also include more general recommendations, including:
- Formalizing an IT supply chain risk management program
- Moving intelligence out of hardware and into software, where it is more transparent
- Considering implementing “dis-information” strategies, such as mixing bad information with good to make sensitive data more difficult to discern.
After reading the report, CIOs should come away convinced of the need to do more to protect themselves from these growing threats. The report concludes: “IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years... Enterprise IT departments must begin to make changes today to protect their systems and information in a world where all IT systems are suspect.”
— Tam Harbert is a freelance journalist based in Washington, DC