Organisations work in chains and are largely dependent on suppliers. Digitalisation is complicating insight in these chains and making them less transparent. Just having one's own security in order is no longer enough: if one weak link in the supply chain fails, the entire chain can collapse. Both the government and the entire business community have an interest in ensuring that the chain is digitally secure. By now, supply chain security and chain dependencies have become an integral part of cyber risk analyses, reports and threat assessments. Nevertheless, it appears that there are still many unanswered questions on this subject.
From the hardware level to the people aspect in the supply chain; where does the chain end and to what extent does the demand party's mandate extend in order to have insight into and a say in this? Could something like this work within Dutch and/or European frameworks? To what extent is this included in contracts? What about insurance, is monitoring continuous? Certification and regulation is seen by some as a solution, while others claim that this brings false security and is unfeasible in many situations. In addition, there is a great deal of reluctance about sharing information within the chain. Companies are afraid of reputational damage due to media attention, among other things. But there are various companies that claim to have solutions for this. HSD Office wants to bring these parties together in order to promote cooperation and to better secure the chain.
Martin Vliem of Microsoft: "There are many methods for testing reliability, but it is quite complex. There's a forest of certifications, legal constructions, legislation and regulations. Large companies still have the knowledge and manpower to find out, but it's not easy for SMEs. The better based on broad consensus means more effectiveness and simpler means more cost-efficient. It is therefore important that we work together to achieve greater consensus on the methods and make them simpler, clearer and more accessible."
Although supply chain security has become a comprehensive and much-discussed topic over the past year, it has also become a catch-all term. As a result, the view of possible collaborations, institutions and solutions has become less clear. Furthermore, HSD partners see little demand for insight into the chain from SMEs. Koen Gijsbers mentions in his report on a Digital and Secure South-Holland that larger companies and the government may be able to play a major role in financing initiatives, since they also benefit from a secure digital chain. HSD can add value by using its mediating and driving role. In this way, HSD can connect both the demand of its public and private partners to come to innovative security solutions together.
Role HSD Office
Especially on this theme, on which there are already so many separate initiatives, it is important not to reinvent the wheel. HSD Office is therefore working closely with TNO, the NCSC and the Digital Trust Centre (DTC). The focus is mainly on agenda setting in current initiatives (as e.g. Greenport and ‘Cybermetrieken in de Zorg’) and in local, regional and national politics, the formation of concepts, insights into methods for supply chain ICT risk management, identifying various issues among (SME) stakeholders and explaining different perspectives on looking at 'digital' chains.
As a topic that forms a core part of a wide array of cybersecurity issues and touches different sectors, starting 2021, Supply Chain will no longer be a single project but rather a subject engrained in all other projects.