Roger's Security Blog

As Chief Security Advisor of Microsoft EMEA - lets share interesting security information

Security Risks in the Supply Chain?

Security Risks in the Supply Chain?

  • Comments 3
  • Likes

At the moment I am travelling through the Gulf in order to launch the Security Intelligence Report v5 with local data. During one of the discussions today, a question was raised which I was thinking about quite some while (but – honestly - do not have an answer yet): How do you manage the risks in your supply chain? I am not talking about the risks of a supplier not delivering on time. I am talking about the trustworthiness of your hardware and software vendors. There are different things that happened recently that started to raise this question – let me just pick two of them to illustrate what I mean:

  • Lenovo ships an update with malware: Things like that happened before, this time it is Lenovo’s turn. I once had a discussion with our former Chief Security Officer. She told me that she was asked pretty often what was keeping her up at night. Her answer was a pretty interesting one: “Imagine us shipping a security update to 400 Mio PCs around the world – and we have a virus/backdoor/Trojan in”. Do you manage this risk?
  • FBI and other US government agencies are concerned about counterfeit Cisco routers: This is not only because they want to be legally compliant but who knows what is in these routers and what they record and send when to whom. Do you manage this risk?

I guess if we would think about it in depth, there would be quite some additional areas you would come up with. One of the questions you will definitely put into the comments is: How are we sue Microsoft does not build in some backdoors either? At least here I can give you an answer: We have a shared source program where governments around the world can look at our source code – and they do and governments like Russia certify our products as backdoor free.

But I am more interested to hear whether you manage these risks and how?

Roger

Comments
  • Interesting to hear about Russia certifying Windows is backdoor free.  Can you provide a link to back that up?  When you say "our products" do you mean the zune, Server 2008, xbox, the microsoft mouse?  or have ALL Microsoft branded products been reviewed by 3rd party countries and validated?

  • Hi Mike,

    no, it is not all Microsoft product. Basically if the Russia government certifies the products, it is to give their green light for governmental use, which mainly means: no backdoors. So, from our side there is not too much interest to certify XBox then ;-)

    There is a page showing all the products which are certified. However, the page is in Russian but the product names are in English: http://www.microsoft.com/Rus/Security/Certificate/Default.mspx. It is quite a long list in the meantime

    Roger

  • When you want to manage security risks in the complete supply chain, you have to concentrate on end-to-end information security in addition to managing the security and integrity of the system software and equipment. An operational research system which manages end-to-end information security with optionally group privacy by information-theoretic provable security using true quantum randomness can be found when you visit http://www.swissitpro.ch and search for the keyword "quantum"

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment