cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Building sovereign resilience into Australian technology supply chains

Jason Van der Schyff, COO of technology company SoftIron, explains how Australia can build sovereign resilience into its critical technology infrastructure.

user iconJason Van der Schyff
Thu, 28 Oct 2021
Building sovereign resilience into Australian technology supply chains
expand image

Australian supply chains, and the IT technology “stacks” on which they rely, are increasingly becoming a target for cyberattacks that aim to exploit the vertical to gain access to sensitive data, systems and devices. Supply chain attacks are both difficult to detect and protect against, with cybercriminals aiming to compromise many systems at once.

A recent increase of supply chain attacks started gaining attention in 2020 with the SolarWinds attack, which many consider one of the most damaging attacks in recent times. With SolarWinds having over 300,000 customers, including the US federal government and most of the Fortune 500 companies, the global significance of this attack cannot be overstated.

These attacks have complex motives. A joint statement from the Australian government was issued by the Australian Foreign Minister, Minister for Defence and Minister for Home Affairs determining that Russian state actors were involved in the SolarWinds attack and condemning the behaviour.

More recently, in July the Australian Cyber Security Centre (ACSC) confirmed a supply chain attack focused on meat and food processing company, JBS Foods. The attack spread across local firms, but a rapid response to the incident with the ACSC saw operational systems restored from backups.

The JBS Foods attack demonstrates how vulnerable global supply chains are and attacks can easily extend to impact Australian organisations. But while many supply chain attacks have focused on software vulnerabilities, a more pernicious and harder to detect attack vector is in the hardware supply chain for the IT products themselves. It's an issue that doesn’t attract the same amount of attention as software supply chain attacks. The reality is that almost every country today relies on opaque, foreign-manufactured chips and hardware sub-assemblies, most often built in China.

These recent attacks have exposed many of the fragile systems that currently run our world, bringing new attention to whether nations have sovereign resilience built into their country’s critical technology infrastructure. Indeed, in the 2020’s maybe it’s time we revisit what we class as “critical national infrastructure” more broadly.

Working towards sovereign resilience – Globally and locally

These dependencies, which have become unavoidable, are starting to raise concerns among global leaders. In a recent talk at the Global Emerging Technology Summit, US Secretary of Commerce Gina Raimondo lamented that zero per cent of leading-edge chips are made in America right now. It was described as a national security risk.

Similar concerns erupted last month after an announcement that Chinese-owned Nexperia was acquiring the Newport Wafer Fab, the largest chip producer in the United Kingdom. Concerns over the sale caused Prime Minister Boris Johnson to order a security review of the deal, signaling that the UK government might block the sale.

In all of this, new trends are emerging that appear poised to take prominence in the effort to secure the IT supply lines of the world. The first is the rise in concerns over sovereign resilience, as demonstrated by the examples mentioned above. This trend is further underlined by an executive order by President Biden earlier this year that directed a broad review of critical supply chains. The goal of the study, it was said, was to produce a long-term plan to address supply chain problems.

Here in Australia, the government has been moving in this direction for the last few years, launching its Defence Industrial Capability Plan. This plan provides grants to ensure Australia’s defence industry has the “capability, posture, and resilience” to meet Australia’s defence needs over the next decade. Sovereign resilience is becoming a subject of intense focus for government agencies.

Zero trust and edge manufacturing

An emerging security strategy that’s gaining industry acceptance is “zero trust”. The zero trust concept acknowledges that reliance on trust as a foundation for security is a fundamental vulnerability. The popular concept of zero trust is network-based, pertaining to the question of who and what can be trusted within the firewall. It does not, however, apply the same question to the hardware that the network itself runs on.

To tackle this, organisations need to focus on manufacturing issues and sovereign resilience. This is where the concept of ‘edge manufacturing’ comes in. It’s a strategy that combines open-source technologies with local manufacturing to enable a new model for competitive domestic IT manufacturing.

This approach enables the extension of a zero trust approach by allowing customers to audit the hardware, software, and manufacturing products at a component and source-code level, before installing them operationally. Ultimately, protecting against supply chain attacks.

At SoftIron, we’ve recently launched a factory in Sydney, NSW to locally manufacture our open-source, optimised appliances for scale-out data centre facilities. By manufacturing products locally, local customers can deploy a credible and transparent alternative to public clouds that are typically based on imported, opaque hardware.

As supply chain attacks are becoming increasingly common, the bottom line is that sovereign resilience can only be reliably achieved by building on zero trust principles that extend to the hardware level. While the current paradigm has relied heavily on cheaply produced Chinese components and generic designs and sub-assemblies, countries can now establish locally sourced technology supply chains that are both performant and competitive.

In the end, however, remember that it’s not the source that matters, but what is in the box. The goal is always to install clean, effective hardware into your racks – not to boast about where your hardware was made. To get there, trust ultimately needs to be replaced with transparency and auditability.

Jason Van der Schyff is the chief operating officer at SoftIron.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.