The term "supply chain" typically evokes a string of parts that are progressively integrated into a final result -- a consumer product -- such as an automobile or computer.
Lately, however, the term has entered the CIO lexicon. IT executives are starting to talk about the “IT supply chain,” meaning the combination of hardware, software, data, and even service providers such as public clouds -- all of which have their own supply chains as well -- that result in today’s sophisticated enterprise IT implementations.
Counterfeit Goods: Not Just for Accessories
Executives in businesses such as retail, consumer electronics, and manufacturing have always worried about counterfeit goods -- such as these fake Dior, Coach, and Louis Vuitton wares -- and supply chain woes. Now CIOs face similar concerns.
But CIOs are in for a rude awakening about the lack of security in that supply chain, a report warns. In fact, the authors postulate that within three years, an incident in the IT supply chain could end up costing companies millions of dollars.
“Living in a World Without Trust: When IT’s Supply Chain Integrity and Online Infrastructure Get Pwned,” written by Gartner analysts Neil MacDonald and Ray Valdes, says the increasing number of links, and the plethora of sources in today’s IT supply chain, make it more vulnerable to attack. (The report is one of a series in what Gartner calls “Maverick Research, designed to spark new, unconventional insights.”)
The US defense and military have stopped short of procuring certain IT products because of security concerns, according to Gartner. An Air Force order for iPads to replace pilot flight manuals was put on hold, for example, due to concern over the encryption used in one of the applications, which came from a Russian company.
Such concerns are becoming more of an issue for corporations as well, the authors say.
“The IT supply chain has become more complex, fine-grained, globally distributed and volatile in the sense that rapid change provides the opportunity to introduce compromises,” says the report. It notes that hardware companies are not only outsourcing manufacturing, but also design, to companies in Asia and India, some of which then turn and outsource parts of the work to places like Vietnam and Indonesia.
And it’s not just hardware. Software has a supply chain that includes various sources for components, middleware, virtual machines, and operating systems, Gartner says. There’s even an information supply chain; data from sources like Google Maps and Twitter is increasingly incorporated into apps and the IT ecosystem.
The authors describe more than half a dozen recent examples of IT supply chain problems, ranging from counterfeit routers to a “backdoor” found in the software of a mobile phone, and include specific recommendations for each on how companies can reduce such risks. (See: Psst! Wanna Buy a Counterfeit Router?).
They also include more general recommendations, including:
Formalizing an IT supply chain risk management program
Moving intelligence out of hardware and into software, where it is more transparent
Considering implementing “dis-information” strategies, such as mixing bad information with good to make sensitive data more difficult to discern.
After reading the report, CIOs should come away convinced of the need to do more to protect themselves from these growing threats. The report concludes: “IT supply chain integrity issues are real, and will have mainstream enterprise IT impact within the next five years... Enterprise IT departments must begin to make changes today to protect their systems and information in a world where all IT systems are suspect.”
— Tam Harbert is a freelance journalist based in Washington, DC
Why don't we do this, Mike? Was this something that developers used to do and moved away from? If so, was it because of costs? Because they wanted - were told - to shave time off development and this was one way to do that? Because competitors weren't doing it and weren't getting into hot water over it? Something completely different? Not being a programmer, I'm interested in learning whether this is a change in process - or a best practice that was never widely deployed.
=DC: "At least starting a dialog along these lines is a path to somewhere!"
YES!!
it does no good to just look over the wreck. we gotta figure out how to clean it up.
Now if I am making gidgits and I have to incorporate some firmware into my gidgits then it becomes incumbent upon me to participate int he Zero Defects program
since I am not compiling the firmware my responsibility become requiring authentication from my source: a PGP signed packing list detailing the components in the firmware. I can then check that firmware to be sure I'm installing what I am supposed to install.
as a programmer for Firmware for Gidgits it becomes my rfesponsibility to similarly check my O/S and my compiler to be sure I have correct originals . and to re-check before I assemble finals .
then when I compile the firmware I can make out the packing list detailing what my package is composed of. documenting not only the modules I compiled and assembled but also identifying the tools I used.
as you start playing with this thinking you will see that Software Audits are a Critical Need -- and where are they ?????
the alternative is to just stand around and watch while this trainwreck piles up worse and worse.
hackers are off to a good start this year already .
Good question. Ensuring the integrity of software supply chains is a difficult problem because of the increased use of offshore development, the relative ease of cloning software and the ongoing need to keep software patched and updated via trusted mechanisms. Very challenging for cios indeed.
Our physical and virtual supply chains are becoming ever more complex these days. It's a concern for national security as well as for protecting business intelligence. There's going to be some smart people out there with bad intentions who will be able to disrupt the system, it seems there is no doubt in that. The question is: are organizations prepared for a bait and switch? At least starting a dialog along these lines is a path to somewhere!
it's all well and good for Gartner to come up with this even though the problem has been around for years
correcting this is another matter
the answer lies in adopting the Zero Defects policy
and resurecting the old fashioned Packing List
if I send you a program I should include a Packing List
the Packing list should list every object included in the distribution together with its size, date, and CRC. and the packing list needs to be signed with PGP
I agree these could be extended to business also and would make an effective starting point. I think once harm can be inflicted to a great degree the verify then trust motto has to take effect.
Sadly, I have to agree with them in this level. It seems like you can never no too safe, even if you do use all of standards in security today. hackers have become far more savvy than most 're as listed and to not actively protecting your company is a ticking time bomb. What should CIOs do to stay on top of the ever changing security world?
Once again, the decisionmaking process should be modeled after that we follow in our personal lives. I live by the following basic procedure:
Without evidence to the contrary, it is best to extend trust to anyone at first meeting
Without proof of reliability and integrity, trust should not be extended to the point where great harm might be incurred if the trusted person turned out to be unethical
These rules serve me well in my personal life. I won't say that I've never been ripped off because I extended trust to the wrong person; however, far more often I have been rewarded with loyal friends when another approach would have produced enemies. In this tradeoff, extending trust created far more opportunities than would have occurred any other way.
Isn't it reasonable to apply the same approach to business?
Due diligence used to mean digging in to make sure a prospective partner was financially viable, didn't it? Nowadays, most companies really want to also ensure their partners are ethical, too. Hopefully, part of that is because they're run and staffed by good people. The other part is that bad news spreads really fast. Think about Citgo and Hugo Chavez; Kathy Lee and her clothing line; Apple and its suppliers in China... there are so many instances where a large vendor comes under attack for partner actions.
Even though cloud is comparatively new, I'd think the same applies here as it always did with any IT partnership: Reputation, strong financials, a history of taking care of customers, partnerships with leading vendors, executive management you trust, and existing satisfied clients.
Trust is critical in business and being able to do business with ethical companies is critical too. It's a small world and reputation is everything. Compnies need more than just to be socially impactful. they need to be a force for change. most multinationals try this but few companies in IT achieve it. Liferay is one of them that has - http://www.theregister.co.uk/2013/01/23/open_and_shut/
But how can companies who are choosing strategic relationships with suppliers vet for the real organisation so they dont link up with a wolf in sheeps clothing?
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Two years ago, Raj Rajaratnam, the billionaire manager of the Galleon Group hedge fund, was convicted on 14 counts of insider trading. It was the largest hedge-fund insider trading case in history. But that was just the highest profile part of a broad push by the Department of Justice and the Securities & Exchange Commission to crack down on insider trading. It's an investigation that has an interesting backstory that has not received much attention: much of that insider trading happened in the tech industry. And it's a story that is far from over.
How big a cybersecurity breach may a company have before it must disclose that information in its filings with the US Securities and Exchange Commission? That's a question many CIOs and CFOs are -- or should -- be considering. So far, however, few government experts are giving them much direction.
Mention counterfeit products and most people think of fake Rolexes, imitation Coach bags, and bootlegged DVDs. Mention counterfeits in information technology, and CIOs and IT managers might think of routers.
Saunders predicts the decline and fall of America’s Internet empire, and explains how the Internet of the future will be multi-lingual as well as multi-national.
Saunders explains how Internet users in North America are already vastly outnumbered by those in the rest of the world – a situation which is only set to accelerate.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
Sean Smith, a US Foreign Service IT manager, gave his life in service of his country and the world. His life and death are a humbling example for all of us who work in IT.
Evidence shows that you can tweet too much. Sites and services like Twitter and Facebook are a good place to reach your audience, but think quality over quantity.
Cisco's rumored sale of Linksys suggests we may have problem with innovation and profit at the edge of our Internet, and that could be critical to the evolution of many Internet-delivered services.
Telcos are launching their app stores and development programs, but they need to do a lot more if they are to play a meaningful role in the Web applications development chain.
If you listen to the hype, clouds are everywhere. But if you look at the data, it turns out most customers say they still wouldn't use cloud computing for mission-critical apps or data. What's holding them back? Fritz investigates.
With the number of mobile broadband users more than doubling in 2009, and soon to exceed fixed broadband, the Internet saw a historic transition this year – and the long-term effects are incalculable.
The US loses about $20 billion a year on pirated software, movies, and music. But public policy can help stem the tide of digital theft. For example, France has recently passed a 'three strikes and you’re out' law, whereby if after two warning letters an individual continues to download pirated software then his Internet access will be cut off. US policy makers should consider adopting similar policies.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
