Govt releases guidelines to secure critical tech supply chains

Tech Supply Chain Principles

The Department of Home Affairs (DHA) has formalised a series of regulatory principles aimed at helping businesses and governments alike to secure supply chains for critical technologies such as Artificial Intelligence (AI) and quantum computing.

The final, non-binding Critical Technology Supply Chain Principles were outlined in a report released on Monday, following a period of industry consultation and co-design. This follows an earlier release of draft principles in October 2020.

“Critical technologies” are defined by the DHA as “current or emerging technologies with the capacity to significantly enhance or pose a risk to our national interest”, and cover both digital and non-digital (for example, synthetic biology) technologies.

The 10 newly released principles are intended to help businesses eliminate unknown risks when developing critical technologies and make better decisions about key suppliers, thereby, it is hoped, strengthening business resilience.

Acknowledging Australia’s role as a “world leader” in advanced manufacturing, the DHA affirmed that Australian industries are “keen to invest in emerging technologies”.

The report recognises, however, that “overseas markets supply many of our technological requirements and Australia imports many technologies and components that we are not best placed to produce locally”.

“To facilitate increased investment and resilience, we need to ensure enduring access to a diverse, secure and trustworthy supply of critical technologies.”

The DHA’s principles align to guidance from the Australian Signals Directorate’s Australian Cyber Security Centre and are grouped under three pillars: security-by-design, transparency, and autonomy and integrity.

Agreed principles under the secure-by-design pillar include that organisations understand what needs to be protected, as well as the risks posed to their supply chains, and ensure that appropriate measures are taken to build security considerations into in-house processes.

By practicing security-by-design in service development, DHA explained that “customers do not need to have expert knowledge” and “are not unfairly transferred risk that they are not best placed to manage”.

Under the transparency pillar, meanwhile, agreed principles include understanding suppliers’ security safeguards, and communicating minimum transparency requirements to suppliers, in line with existing international benchmarks.

Finally, under the autonomy pillar, agreed principles include understanding the influence of foreign state actors (if any) on suppliers, building strategic partnerships with key suppliers, as well as considering the ethical conduct of suppliers, in line with international legal standards.

To encourage businesses to adopt these principles, Home Affairs, in its report, underscored greater uptake of new critical technologies, rising consumer confidence, and improved supplier relationships as key benefits from doing so.

As a first step, DHA encouraged businesses to implement these principles in-house, as well as with their direct suppliers, and that they maintain an “expectation that those suppliers are doing the same.”

“The Australian Government will lead by example and use the principles in its own decision-making practices,” Home Affairs Minister Karen Andrews said.

For her, secure supply chains are part of Australia’s “long-term access” to secure cutting-edge critical technologies.

“Adhering to these Principles will help businesses of all sizes ensure their decisions about critical technology supply chains align with Australian values,” Andrews added.

The principles are intended to complement other reforms around “systems of national significance”, including the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which has just been brought before senate.

The bill proposes reforms to the Security of Critical Infrastructure (SOCI) Act 2018, mandating that critical infrastructure providers (across 11 designated sectors) enhance security and resilience through a host of risk mitigation, due diligence, and governance obligations.

Elsewhere, the United Kingdom and New Zealand have similarly released supply chain security principles, providing high-level advice for market participants; the United States, meanwhile, has had a supply chain security strategy in place since 2012 but has yet to provide business-specific advice.