Recommendations to Improve the Resilience of Canada’s Digital Supply Chain

Daemon Behr

This is a summary of the document published by the Supply Chain Assurance Working Group (SCAWG), from the Canadian Forum for Digital Infrastructure Resilience (CFDIR).

In June of 2022, version 0.1 of the document “Recommendations to Improve the Resilience of Canada’s Digital Supply Chain” was published here. This was created in response to the compromise of the network management and monitoring provider Solarwinds in 2019/20. NIST has also published a similar document called “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”, which is available here.

If you want to get a background on what actually happened in the Solarwinds breach in detail see this reference article.

In short, tens of thousands of high security organizations (such as government, industry and defence) were breached at a fundamental level, such that the true impact will never be known.

This article has some key take-aways that all organizations should seriously consider.

  • Adopt a Zero-Trust Architecture Model (ZTA)
  • Understand the “recipe” of your IT environment, including assets, software (including sub-components such as open-source software), suppliers, partners and their security posture
  • Understand your attack surfaces and where you are at risk
  • Implement a strategy for improvement of security posture that is based on principles, not just checklists.

The document by the CFDIR SCAWG, has some good material in its findings and recommendations. But first let’s look at what the Canadian Government is doing from a governance perspective.

A. “Shared Services Canada (SSC), in coordination with the Communications Security Establishment (CSE), operates the Supply Chain Integrity (SCI) process, to “ensure that no untrusted equipment, software or services are procured by SSC and are used in the delivery and support of GC services.”

What this means is that bidders to technology procurements in four areas (email, data centres, networks, and workplace technology devices), provide product lists, network diagrams, and subcontractor lists for assessment of potential risks to national security. Once a contract bidder has been approved through this process, nothing can change from a technology standpoint. This includes software versioning which may require reassessment to be validated.

B. “Public Services and Procurement Canada (PSPC) contracts require contracting clauses for telecommunications equipment and services, especially managed telecommunications service, designed to protect the integrity, availability and confidentiality of Canada’s data and communications by applying security acknowledgements and assurances in these contracts to prevent or to mitigate supply chain risks.”

This means that any managed telecom / data transit companies providing services need to be as strict in their supply chain vetting process as the government itself.

C. “The Canadian Centre for Cyber Security (CCCS) regularly
issues guidance and threat alerts related to supply chain incidents, and regularly highlights risks to supply chain exploitation in its National Cyber Threat Assessments.”

The government has a cyber security guidance site that has a comprehensive list of recommendations organized by who should look at them. CIOs, management, practitioners. There is also a list of current bulletins. It is a very useful site. Check it out here.

D. “Overall, these activities would benefit from the development of
a unified, government-wide strategy and action plan dedicated specifically to mitigating digital supply chain risks. Such a strategy would align and focus current efforts, identify new collaboration opportunities, recommend new resources or policies if needed, and engage whole-of-nation stakeholders, including Provincial, Territorial, Municipal (PTM) governments, small/medium businesses, and critical infrastructure entities.

So far, this messaging has been about securing the supply chain of government and suppliers . However I see this as a first step to a larger initiative that extends to critical infrastructure, enterprises, and the SMB / commercial sector. Whether this becomes mandated policy is yet to be seen. A close eye should be kept on this and what it means for businesses, especially with the introduction of bill C-26 (An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts).

KEY FINDINGS AND RECOMMENDATIONS

1. The Government of Canada should develop a coordinated vision, strategy, and action plan for Canada’s digital supply chain risk management activities, including opportunities for enhanced collaboration across federal agencies and engagement with non-governmental stakeholders and guidance to non-government stakeholders on the key activities and points of contact for relevant government agencies.

2. Shared Services Canada (SSC), recognizing the global
trend toward this new architecture model, is refreshing its network and security strategy and adopting zero trust architecture (ZTA) concepts. SSC’s network security strategy utilizes zero trust concepts to move away from the old perimeter-based security toward a new design of
protecting resources – data, software and hardware assets and applications – by verifying each request to access the resource without relying on implicit trust (e.g., inside the network perimeter).

3. It is imperative for each supplier involved in a supply chain to adopt, manage and apply proven and widely accepted guidelines or standards for secure development lifecycle (SDLC) management.

4. Software Assurance and Supply Chain Transparency. Software transparency in particular is a key lesson learned from the Log4Shell vulnerability, which has fostered renewed calls for Software Bill of Materials (SBOM) efforts. SBOMs aim to increase software assurance by defining and utilizing a standardized “ingredients list” identifying
the provenance of code in each software build.

5. Protection of Platforms and Products. Applying a risk-based approach, an organization should identify its critical products, ensure that they are securely designed and built, and test them before installation, and monitor their security posture within the platform in which they are connected.

6. Principles-Based Assurance Policies. The principles-based method is meant to provide a flexible guide within a defined security framework that can be more easily adapted to varying and innovative technology products and applications, and remain consistent over longer periods of time because it focuses on objectives and outcomes and the adequate demonstration of achieving the principles.

7. Cybersecurity Supply Chain Information Sharing. Exchanging supply chain risk information, vulnerability and threat information, and defensive measures among a sharing community of interest is imperative to prepare and protect organizations from novel and sophisticated cyber attacks, including supply chain risks.

KEY TECHNOLOGY CAPABILITIES FOR SUPPLY CHAIN ASSURANCE

  • AI/ML: Integrating Endpoint Detection and Response and Security Orchestration and Automation Technologies
  • Internet-accessible asset scanning technologies
  • Code scanning, testing and security verification technologies
  • Hardware root of trust

KEY PRACTICES FOR SUPPLY CHAIN SECURITY AND INTEGRITY: RECOMMENDATIONS FOR INDUSTRY AND GOVERNMENT

  • Establish and implement an ICT SCRM ( Information and Communications Technology Supply Chain Risk Management) Program with other programs across your organization.
  • Understand your organizations supply chain
  • Establish and manage relationships with suppliers/vendors and clients/customers
  • Continually monitor security posture of critical supply chain products/components