Supply Chain Security and Mutual Trust Research Minitrack

In January 2012, President Obama released the National Strategy for Global Supply Chain Security. International trade has been and continues to be a powerful engine of the United States and global economic growth. The many cybersecurity challenges facing the U.S. include one of which many Americans are unaware – the serious threat posed by vulnerabilities in the cyber supply chain. Of the many components – including hardware, firmware, and software – that compose a technological product, most contain elements stemming from a broad global market, making it difficult to ascertain the complete security of an end product. With the market for technological goods and components continuing to rapidly grow every year, and with everything from missiles to smartphones relying on these information products, the need for mutual trust cyber supply chain security has never been more critical.

Enhancing the security of any national interests’ technological supply chain must not destroy the well- functioning international market for technology. Instead of the two extremes of “intrusive government mandates” or “do nothing,” the U.S. government is promoting development of private-sector systems for securing and accrediting technology companies that would allow customers – from the federal government to small businesses – to make more informed and risk- based decisions.

Organizations of all types (business, academia, government, etc.) are facing risks resulting from their ever- increasing reliance on the information infrastructure. Decision and policy makers managing these risks are challenged by a lack of information intelligence concerning the risks and consequences of cyber events (e.g., Sarbanes-Oxley Act, HIPAA, and Gramm-Leach-Bliley ACT). They need to understand the implications of cyber security risks and solutions related to their information infrastructure and business. Risk management investment decisions, within the context of mutual trust among supply chains should involve: (i) a comprehensive approach to cyber security risk management, (ii) credible appropriate data needed to support intelligent decisions, and (iii) assessment of the impacts resulting from the various investment alternatives. Sound, rational IT/business decisions require a comprehensive understanding of the dynamics of information intelligence and the likely effects of cyber security investment choices.

As our dependence on the cyber infrastructure and their associated supply chains grow ever larger, more complex, and more distributed, the systems that compose them become more prone to failures and/or exploitation. Trusted Supply Chains values currency and relevance over detail and accuracy. Information explosion describes the pervasive abundance of (public/private) information and the effects of such. Gathering, analyzing, and making use of information constitutes a business- / sociopolitical- / military-intelligence gathering activity and ultimately poses significant advantages and liabilities to the survivability of "our" society. The combination of increased vulnerability, increased stakes and increased threats make supply chains and their associated processes one of the most important emerging challenges in the evolution of modern cyberspace "mechanization." The goal of this minitrack is to challenge, establish and debate a far-reaching agenda that broadly and comprehensively outlines a strategy for mutual trust, cyber security, efficiency, and resilience of our vital global supply chain infrastructure research that is founded on sound principles and technologies.

Minitrack topics include, but are not limited to:

• Promote the secure and efficient movement of goods by o resolving threats early, improving verification and detection capabilities, and enhancing security of infrastructure and conveyances in order to protect the supply chain, and maximizing the flow of legitimate trade.
• Foster a resilient supply chain by mitigating systemic vulnerability of supply chains and promoting trade resumption policies and practices.
• How can stakeholders provide assurance that my product is safe without revealing intellectual property (e.g., source code)?
• Is there a formal certification process and authority that can certify certain security properties exist in the product?
• What would constitute a trusted third party (TTP) certification body (e.g., charter, COI, goals, membership, participants, industry)?
• What would be the focus and benefits of the TTP (incentives, methods, technologies) and key outcomes (especially sponsors)?
• How would the TTP get industry buy-in and be distinguished from other (e.g., TCB, OWASP, etc.) existing bodies?
• Better precision in understanding existing and emerging vulnerabilities and threats.
• Advances in insider threat detection, deterrence, mitigation and elimination.
• Assuring security, survivability and dependability of our critical infrastructures.
• Assuring the availability of time-critical scalable secure systems, information provenance and security with privacy.
• Observable/ measurable/ certifiable security claims, rather than hypothesized causes.
• Methods that enable us to specify security requirements, formulate security claims, and certify security properties.
• Assurance against known and unknown (though perhaps pre-modeled) threats.
• Mission fulfillment, whether or not security violations have taken place (rather than chasing all violations indiscriminately).

Minitrack Co-Chairs:

Frederick T. Sheldon (Primary Contact)
University of Idaho
Email: sheldon@idaho.edu

Robert K. Abercrombie
University of Memphis
Email: abercrombier@ieee.org

Xiaohui Cui
Wuhan University
Email: cuixhui@gmail.com