Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001
ISA Project Background • Started in 2007 with CMU & USCCU • 60 Entities (NSA, NIST, DOD, DOE, FBI) • Published base paper in 2008 • Published Framework in 2009 (CSPR) • Current Phase III to implement framework • 4 workshops in DC and SF—three technical and one legal • Expect Publication of Guidelines Fall 2011
Focus of Effort • Hardware • Risk management and appreciate the differences government vs. private sector • Economics as important as technology • Practical----keep it comprehensible to non- tech people from different parts of industry • Include international analysis of legal issues
Domain of Loses • Interruption of the supply chain • Corruption of the supply chain • Discrediting of the process or products • Theft of Intellectual Property
Guidelines Will Cover • The design process • Production photomaps used in making microelectronic components • Manufacture of the microelectronic components • Manufacture of the printed circuit boards • Pre-assembly of components onto the boards
Guidelines Will Cover • Assembly of the actual products • Distribution to end users • Maintenance of usage life, ending with disposal • Legal issues to be considered in assuring you supply chain
Legal Requirements • Rigorous contracts delineating what is required • Locally responsible corporations with a Long term interest in complying • We need to be sure local execs and workers are adequately motivated to comply • We need adequate provisions for verifying security implementation • There needs to be local law enforcement of agreements by both civil and criminal judicial systems
Who Has To Be Legally Accountable • Individual employees • The family, clan or tribe ...often ignored by western law even though it is the main vehicle for social accountability in much of the developing world...where costs are low • The corporation • Police and civil courts • Individuals you need
Individuals • A list of who is working..in advance • Documented identities • The equivalent of background checks • Under surveillance...preferably video at the production facility
Family and Tribe • The ability of a local contractor to to meet their legal obligations will often depend on local tribal relationships • Contracting with one tribe in an area where a different dominates can leave the corporation without the local support. • Tribes or clans with true commitment will encourage workers to behave • Bad relationships with the tribe it will be understood that it's permissible to violate written agreements
Corporations • Contracts must be written in ways suppliers understand, agree to and can actually be enforced • Penalties need to be assessed in ways that will not undermine the relationship • Procedures for unannounced visits must be clear so they can be carried out • Contracts need to spell out strategies to get suppliers to remain responsible for the long term
Police and Cival Courts • Some areas have reputations for being good with international business and others do not • You need to decide what are the minimum legal conditions that must be in place for your contracts to be enforced • Local law enforcement will be essential to stop and discourage crimes such as theft and sabotage...what is the criteria for local law enforcement you need to have
Final Thoughts • Is the supply “chain” still relevant----is it the WEB? • Key role of economics driving insecurity • What is the role of “compliance” • Do we need to be Anti-American?
Larry Clinton President Internet Security Alliance lclinton@isalliance.org 703-907-7028 202-236-0001
Recommend
More recommend
