The Australian government has released a set of regulatory guidelines aimed at assisting businesses in securing vital technology supply chains such as artificial intelligence and quantum computing. The ‘Critical Technology Supply Chain Guidelines,’ issued by the Department of Home Affairs, come one year after the government originally recommended a set of standards.
The ten principles can be used when making supplier and product selections, reducing potential threats when developing critical technologies, and building business resilience. AI and quantum computing, examples of critical technologies, are described as current and upcoming technologies with the potential to dramatically enhance or pose a risk to Australia’s national interests.
The principles, which have been slightly modified to accommodate industry feedback, are organised into three pillars: security-by-design, transparency, and autonomy and integrity. Understanding what must be secured and how this may be done, as well as incorporating security considerations into all organisational operations, are all agreed-upon security-by-design concepts.
Adopting such standards, according to the Department of Home Affairs, would guarantee “customers do not need specialist expertise and are not unfairly allocated risk that they are not best situated to manage.” Setting and conveying baseline transparency requirements, as well as determining whether suppliers behave ethically, are other agreed-upon concepts under the transparency and autonomy pillars.
Home Affairs has recommended that organisations apply the principles to their own operations and their direct suppliers as a first step, and “carry forward the expectation that those suppliers are doing the same”. “By choosing to apply the principles, governments and businesses will be able to better adopt new critical technologies, buy or use products and services with greater confidence, and securely realise their full benefits,” it said. Improved supplier relationships, clearer expectations for suppliers, increased consumer confidence that results in a competitive advantage, and enhanced resilience in times of crisis are all potential benefits.
Home Affairs Minister Karen Andrews said the federal government would “lead by example and use the principles in its own decision-making practices”.
The principles are intended to work alongside the cut-down version of the government’s Security Legislation Amendment (Critical Infrastructure) Bill currently before the senate. The Bill aims to give the Australian Signals Directorate new cyber security incident response takeover powers, which is unpopular with tech companies.
The Principles:
- Understand what needs to be protected, why it needs to be protected and how it can be protected.
- Understand the different security risks posed by your supply chain.
- Build security considerations into all organisational processes, including into contracting processes, that are proportionate to the level of risk (and encourage suppliers to do the same).
- Raise awareness of and promote security within your supply chain.
- Know who critical suppliers are and build an understanding of their security measures.
- Set and communicate minimum transparency requirements consistent with existing standards and international benchmarks for your suppliers and encourage continuous improvement.
- Encourage suppliers to understand and be transparent in the depth of their supply chains and be able to provide this information to customers.
- Seek and consider the available advice and guidance on influence of foreign governments on suppliers and seek to ensure they operate with appropriate levels of autonomy.
- Consider if suppliers operate ethically, with integrity, and consistently with international law and human rights.
- Build strategic partnering relationships with critical suppliers.
To read more about the Critical Technology Supply Chain Principles, follow the link to the Australian Government site – https://www.homeaffairs.gov.au/cyber-security-subsite/files/critical-technology-supply-chain-principles.pdf
