Can we out-innovate the adversary and have secure industry supply chains?

Information sharing and intelligence sharing are vital

Public-private partnerships (like the UK’s CiSP which started out in response to private-sector demand) are a testament to that. But public-private interactions are equally vital. Those in the supply chains which produce those capabilities, without which we wouldn’t have the technology required to be able to collect, disseminate and action that intelligence.

As the threats constantly evolve – and our adversaries keep innovating to circumvent our security, and exploit vulnerabilities – so must we constantly innovate to keep ahead of those threats. 

The Global Supply Chain

The capabilities which are the result of our innovation entirely depend on a genuinely global supply chain.

Despite that, even in the West, we are not immune to the rhetoric of autocracy, of self-sufficiency, in the interest of National Security. Whether that be telecoms infrastructure, in energy, or in commodities. We have seen an example of that recently in the UK with the forced reversal of the Chinese ownership of a chip manufacturer in Wales.

Similar currents are being to be noticeable in the software industry. Those conversations often refer to last year’s log4j vulnerability. A vulnerability in open-source software so old, I made use of it back when my day job was software development.

The argument for applying these principles to software development might sound compelling. Until you consider what software-intensive systems are made up of.

Most software, in most systems, is not custom code. Some studies estimate that over 70% of software systems incorporate open-source elements, and open-source software accounts for getting on for half of the code in those systems.

I think those are wild underestimates.

The job of the software developer is increasingly to compose and integrate with components, libraries and APIs developed by others. It isn’t just challenging to imagine that software can be entirely sovereign, written from scratch by security cleared nationals; it would be literally impossible without consigning our capabilities back to the 1960s.

How might we thoughtfully address this?

Perhaps a mechanism which helps those in the supply chain make quick assessments of the risk of the components they are integrating, and initiatives like Software Bill of Materials (SBOM) might help out here.

The most vibrant open source software projects, on which everything we use is built, are self-policing communities, where the nationality, geography and identity of contributors is often not known.

To implement a policy which required such knowledge in our capabilities, would simply condemn us to the dark ages. We would lose our ability to out-innovate the adversary, leaving us vulnerable to systemic threats more significant than those we are trying to defend against. 

Not only that, there is an enormous skills shortage in the West. If we are to fill that skills gap, it will require us to widen, not shrink, the pool from which we can seek talent.

So, as we promote collaboration, cooperation and public-private partnerships, let’s ensure we include the most basic of human exchanges, that free-trade and commerce, on which our supply chains are based, and on which our innovation and our ability to outwit the adversaries depends.

An extract from the talk given at the the Cityforum Cyber Security Summit in London on 6th December 2022