Concern about the possibility of malicious back doors ending up in commercial high-tech products is prompting the US Department of Defense (DoD) to push industry to establish a way to vet and identity what's being called a trusted global supply chain.
This trusted supply-chain effort is being picked up by the Open Group, the consortium known for furthering open standards and e-commerce security initiatives. Today the Open Group announced the formation of what it's calling the "Trusted Technology Forum" to foster manufacturing best-practices guidelines to reduce supply-chain risk. According to the forum's members, which include IBM, HP, Microsoft and several others along with the DoD, the future work around the idea may lead to a trusted supply-chain accreditation process for manufacturers and suppliers.
"Part of buying commercial products is accepting you have a global supply chain," says Dave Lounsbury, CTO at the Open Group, which plans to soon issue a so-called "framework" of best practices for manufacturing as a first step.Over time, the Trusted Technology Forum, which is in discussions not just with US authorities but those in the European Commission and China, anticipates it may be possible to set up an international accreditation process of trusted suppliers globally.
"This was started by the Defense Department," says Adras Szakal, IBM distinguished engineer and board member of the Open Group, about the idea of finding a way to formally and openly identify a trusted supply chain for all the software and hardware components that go into any particular high-tech product.
Founding members of the Trusted Technology Forum include: Boeing, Carnegie-Mellon SEI, CA Technologies, Cisco, HP, IBM, Kingdee International Software Group Company (said to be the Chinese government's official provider), Microsoft, Mitre, NASA, Oracle and the DoD.
The DoD has long had concerns about the possibility of malware and back-door trojans in high-tech goods, and those worries were voiced during the National Cybersecurity Initiative that began back in the Bush Administration, says Szakal. He says the idea behind the Open Group's commitment announced today is to establish shared processes for "secure engineering and supply-chain integrity" that would mitigate any possible "supply-chain attack."
The DoD is said to be providing an undisclosed amount of funding to foster this idea of a supply-chain vetting process that might one day positively impact the procurement process. Like the international Common Criteria product-evaluation process for security in software applications — which Open Group members point to as a basis for looking at the issue — the goal is to organise an accreditation process that would be recognised internationally and used as a foundation for acquisitions.
"Think of it as a preferred list of trusted providers," says John Brickman, CA Technologies director of program management about what a supply-chain accreditation process might one day bring.
However, like the establishment of the international Common Criteria product-evaluation program, it could take several years to actually come about, the Open Group membership acknowledges there's no certain timeframe for accomplishing its most ambitious goals.