The Department of Home Affairs has released 'Critical Technology Supply Chain Principles', claimed to
help governments and businesses to decide about suppliers and the transparency of their own products.
We have grouped the ten Principles under the three pillars of security-by-design, transparency, and autonomy and integrity.
Agreed pillar: Security-by-design
Security should be a core component of critical technologies. Organisations should ensure they are making decisions that build-in security from the ground up.
Agreed Principles
1. Understand what needs to be protected, why it needs to be protected, and how it can be protected.
2. Understand the different security risks posed by your supply chain.
3. Build security considerations into all organisational processes, including into contracting processes, that are proportionate to the level of risk (and encourage suppliers to do the same).
4. Raise awareness of and promote security within your supply chain.
Agreed pillar: Transparency
Transparency of technology supply chains is critical, both from a business perspective and a national security perspective.
Agreed Principles
5. Know who critical suppliers are and build an understanding of their security measures.
6. Set and communicate minimum transparency requirements consistent with existing standards and international benchmarks for your suppliers and encourage continuous improvement.
7. Encourage suppliers to understand and be transparent in the depth of their supply chains, and be able to provide this information to customers.
Agreed Pillar: Autonomy and integrity
Knowing that your suppliers demonstrate integrity and are acting autonomously is fundamental to securing your supply chain.
Agreed Principles
8. Seek and consider the available advice and guidance on influence of foreign governments on suppliers and seek to ensure they operate with appropriate levels of autonomy.
9. Consider if suppliers operate ethically, with integrity, and consistently with international law and human rights.
10. Build strategic partnering relationships with critical suppliers.
Home Affairs states
These Principles are voluntary for industry. The Australian Government will use them in its own decision making practices. They should help organisations – including governments and businesses of all sizes – securely adopt, develop and benefit from critical technologies.
Knowing the risks and asking the right questions are the first steps in creating trusted and secure technology supply chains.
We developed the Principles through a co-design process with industry. There was a consultation period for feedback from non-government organisations, state and territory governments, and the community.
The Principles also complement the Protecting Critical Infrastructure and Systems of National Significance reforms. They align with the Cyber Supply Chain Guidance provided by the Australian Cyber Security Centre. Together, these measures help protect critical goods and services that Australia relies on.
The feedback noted above includes
Overall, feedback was supportive of the Principles through the consultation process. Industry feedback agreed that critical technology supply chain security is increasingly important to ensure Australia’s future economic prosperity and national security. Responses flagged that government and industry partnerships are key in ensuring that industry has the full threat picture.
We heard that most businesses are aware of the risks to their critical technology supply chains, however they require clear definitions from Government on what constitutes a critical technology, and what should be prioritised. There was also discussion around whether the Principles, which are currently voluntary, should be mandatory or not. Some businesses supported mandatory Principles, through the establishment of clear standards and regulatory frameworks with Government support6. We heard that mandating the Principles could be considered at their 12 month review.
We also heard that making the Principles mandatory could erode their usefulness to industry and limit flexibility. If the Principles were to become mandatory, there should be evidence to support their measurements of success and a framework to report compliance. There was strong support for Government to implement the Principles first, and provide case studies to industry outlining the costs, benefits and risks. We will continue this conversation with industry partners through the evaluation and implementation process for the Principles.
It was repeated throughout the consultation process that Government could provide more in-depth guidance under each principle to support their implementation. Industry partners advised that Government could provide pragmatic questions entities can ask of themselves and their suppliers as they work toward supply chain resilience. Feedback highlighted that best practice guides could support adaptation of the Principles. Responses highlighted that awareness raising and education on supply chain security is required. Additionally, it was noted that successful case studies and evidence of the Principles effectiveness would empower industry uptake.
There was feedback from multiple respondents that the Principles coincide with the objectives of existing standards – specifically the Australian Signal Directorate’s Information Security Manual and Department of Home Affairs’ Telecommunications Sector Security Reforms. We also heard that it is important that the Principles recognise the other various initiatives in place or underway to ensure any crossover is considered.
We heard the feedback that the Principles have the ability to shape decisions of companies of all sizes. The Principles can provide a baseline for companies that are scaling and might require initial guidance on supply chain management. They may also be of use to entities across the public or private sector who wish to assess their supply chain resilience and security posture.
Through submissions and discussion with industry participants, implementation considerations were also raised. This included the suggestion that to encourage compliance there could be reporting requirements for organisations and major products, similar to reporting requirements in modern slavery reporting.
This could involve organisations confirming that they had considered the principles in their operations. Government could consider mechanisms to be able to measure progress by businesses and Government entities. This could be done through voluntary, targeted surveys, via a self-reporting framework or other data gathering mechanisms that do not significantly add to administration costs. Additionally, respondents noted that the cheapest option is not always best when it comes to security. Costs are difficult to estimate, however from a risk management perspective, the costs of not addressing supply chain risks are far greater. Government should ideally enable sensible financial decisions by empowering staff to consider, with prudent weight scales, other values alongside lowest cost models. Implementing mandatory principles would likely impose administrative costs, but costs could likely be offset by the benefit of a more security-ordinated culture outside of Government and a greater focus on supply chain resilience.
Finally, it was clear that Government and industry must collaborate to ensure that the security of critical technology supply chains is well-informed, robust and continually adapting. The evolving pace of innovation at the national level, and international level, is underpinned by the competitive element nature of the market and requires cooperation to ensure the Principles can be actively applied