2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group

7/31/2019 2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group

1/14

Larry ClintonPresident

Internet Security [email protected]

703-907-7028

202-236-0001


2/14

ISA Project Background

Started in 2007 with CMU & USCCU 60 Entities (NSA, NIST, DOD, DOE, FBI)

Published base paper in 2008 Published Framework in 2009 (CSPR) Current Phase III to implement framework

4 workshops in DC and SFthreetechnical and one legal

Expect Publication of Guidelines Fall 2011


3/14

Focus of Effort

Hardware Risk management and appreciate the

differences government vs. private sector Economics as important as technology Practical----keep it comprehensible to non-

tech people from different parts of industry Include international analysis of legal

issues


4/14

Domain of Loses

Interruption of the supply chain

Corruption of the supply chain

Discrediting of the process or products

Theft of Intellectual Property


5/14

Guidelines Will Cover

The design process Production photomaps used in making

microelectronic components Manufacture of the microelectronic

components

Manufacture of the printed circuit boards Pre-assembly of components onto theboards


6/14

Guidelines Will Cover

Assembly of the actual products Distribution to end users

Maintenance of usage life, ending withdisposal Legal issues to be considered in assuring

you supply chain


7/14

Legal Requirements

Rigorous contracts delineating what is required Locally responsible corporations with a Long term

interest in complying

We need to be sure local execs and workers areadequately motivated to comply

We need adequate provisions for verifying security

implementation There needs to be local law enforcement of

agreements by both civil and criminal judicialsystems


8/14

Who Has To Be LegallyAccountable

Individual employees The family, clan or tribe ...often ignored by

western law even though it is the mainvehicle for social accountability in much of the developing world...where costs are low

The corporation Police and civil courts Individuals you need


9/14

Individuals

A list of who is working..in advance Documented identities

The equivalent of background checks Under surveillance...preferably video at

the production facility


10/14

Family and Tribe

The ability of a local contractor to to meet their legalobligations will often depend on local tribalrelationships

Contracting with one tribe in an area where adifferent dominates can leave the corporationwithout the local support.

Tribes or clans with true commitment willencourage workers to behave

Bad relationships with the tribe it will be understoodthat it's permissible to violate written agreements


11/14

Corporations

Contracts must be written in ways suppliersunderstand, agree to and can actually beenforced

Penalties need to be assessed in ways thatwill not undermine the relationship

Procedures for unannounced visits must be

clear so they can be carried out Contracts need to spell out strategies to get

suppliers to remain responsible for the long

term


12/14

Police and Cival Courts

Some areas have reputations for being good withinternational business and others do not

You need to decide what are the minimum legalconditions that must be in place for your contracts to beenforced

Local law enforcement will be essential to stop anddiscourage crimes such as theft and sabotage...what isthe criteria for local law enforcement you need to have


13/14

Final Thoughts

Is the supply chain still relevant----is itthe WEB?

Key role of economics driving insecurity

What is the role of compliance

Do we need to be Anti-American?


14/14

Larry ClintonPresident

Internet Security [email protected]

703-907-7028

202-236-0001

Documents

2011 06 29 Larry Clinton Supply Chain Presentation for the Software Assurance SwA Working Group