Supply chain integrity (SCI) in the ICT industry is a topic that is receiving attention from both the public and private sectors (i.e. vendors, infrastructure owners, operators, etc.) as part of a wider review of supply chain control, and the increased demands for security is vital both for the economy and society.
Understanding supply chains is a critical factor in business success and thus to the economy of nation states. Integrity is the element of managing the supply chain that this report focusses on, with a view to providing guidance to EU member states. This paper identifies what the Supply Chain and Integrity means in the ICT context.
Safe products, systems and components -from the start till end?
Supply chains have become increasingly global in recent years and have become longer both geographically and in the number of supply elements. This is consistent with the globalisation of markets, and the move away from a major industry and its suppliers being geographically locally limited to each other. Telecommunications operators and equipment manufacturers increasingly rely on globally sourced components. For niche markets, a single supplier may support the entire industry (e.g. Microsoft supplying Operating Systems to 83% of the PC market) with distribution channels serving the dependent markets. A characteristic of the ICT market is the ability to distribute software, firmware and chip designs in “soft formats”; this gives a different perspective to ICT supply chain analysis in relation to other forms of raw material, logistic distribution networks, and staff.
Structure of supply chains
A supply chain is not really a chain with each link joining two suppliers together in a single path from the start till the end of the chain. A loss of a single link would then be visible and the impact instant – the chain breaks. In practice, supply chains are more like the fishbone structure.
ICT supply chain integrity is consequently relevant for both hardware (PC:s USB, etc) and software products, as well as and services (system of apparatus, appliances, employees, etc). Product oriented supply chains can consist of software and hardware design, testing, production, delivery, repair, support, and maintenance, as well as organizations, people, and processes, engaged in its operations. Supply chains related to telecommunications services include network design, testing, installation, network management.
The increased demand for security-supply chain integrity.
This report originates on the assertion that Governments, corporations, organizations, and consumers are increasingly reliant on ICT products and services to protect the society and economy. As a result of this, reliance and security threats to ICT supply chains have attracted more attention, including the threat of intentional tampering during development, distribution or operations, or the threat of substitution with counterfeit (including cloned or overproduced) components before or during delivery, and attacks against the economy through the supply chain.
Recommendations
The present report identifies the nature of these threats and examines the strategies used to counter them. The report finally recommends that supply chain actors follow a core set of good practices to provide a common basis to assess and manage ICT supply chain risk –Moreover, the report recognise that governments must work in collaboration with private industry to build international assessment frameworks.