Upload
isalliance
View
218
Download
0
Embed Size (px)
Citation preview
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
1/14
Larry ClintonPresident
Internet Security [email protected]
703-907-7028
202-236-0001
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
2/14
ISA Project Background
Started in 2007 with CMU & USCCU 60 Entities (NSA, NIST, DOD, DOE, FBI)
Published base paper in 2008 Published Framework in 2009 (CSPR) Current Phase III to implement framework
4 workshops in DC and SFthreetechnical and one legal
Expect Publication of Guidelines Fall 2011
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
3/14
Focus of Effort
Hardware Risk management and appreciate the
differences government vs. private sector Economics as important as technology Practical----keep it comprehensible to non-
tech people from different parts of industry Include international analysis of legal
issues
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
4/14
Domain of Loses
Interruption of the supply chain
Corruption of the supply chain
Discrediting of the process or products
Theft of Intellectual Property
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
5/14
Guidelines Will Cover
The design process Production photomaps used in making
microelectronic components Manufacture of the microelectronic
components
Manufacture of the printed circuit boards Pre-assembly of components onto theboards
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
6/14
Guidelines Will Cover
Assembly of the actual products Distribution to end users
Maintenance of usage life, ending withdisposal Legal issues to be considered in assuring
you supply chain
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
7/14
Legal Requirements
Rigorous contracts delineating what is required Locally responsible corporations with a Long term
interest in complying
We need to be sure local execs and workers areadequately motivated to comply
We need adequate provisions for verifying security
implementation There needs to be local law enforcement of
agreements by both civil and criminal judicialsystems
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
8/14
Who Has To Be LegallyAccountable
Individual employees The family, clan or tribe ...often ignored by
western law even though it is the mainvehicle for social accountability in much of the developing world...where costs are low
The corporation Police and civil courts Individuals you need
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
9/14
Individuals
A list of who is working..in advance Documented identities
The equivalent of background checks Under surveillance...preferably video at
the production facility
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
10/14
Family and Tribe
The ability of a local contractor to to meet their legalobligations will often depend on local tribalrelationships
Contracting with one tribe in an area where adifferent dominates can leave the corporationwithout the local support.
Tribes or clans with true commitment willencourage workers to behave
Bad relationships with the tribe it will be understoodthat it's permissible to violate written agreements
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
11/14
Corporations
Contracts must be written in ways suppliersunderstand, agree to and can actually beenforced
Penalties need to be assessed in ways thatwill not undermine the relationship
Procedures for unannounced visits must be
clear so they can be carried out Contracts need to spell out strategies to get
suppliers to remain responsible for the long
term
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
12/14
Police and Cival Courts
Some areas have reputations for being good withinternational business and others do not
You need to decide what are the minimum legalconditions that must be in place for your contracts to beenforced
Local law enforcement will be essential to stop anddiscourage crimes such as theft and sabotage...what isthe criteria for local law enforcement you need to have
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
13/14
Final Thoughts
Is the supply chain still relevant----is itthe WEB?
Key role of economics driving insecurity
What is the role of compliance
Do we need to be Anti-American?
7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group
14/14
Larry ClintonPresident
Internet Security [email protected]
703-907-7028
202-236-0001