Cybercheck: Beware of supply chain risks

To ensure a secure, digital functioning Dutch society, it is crucial that organizations are aware of risks within their supply chain. This applies especially for public and private organizations that have so-called Protectable Interests (Te Beschermen Belangen  in Dutch) with regard to National Security (hereinafter abbreviated to PI-NS, the acronym is ‘TBB-NV’ in Dutch). 

A guide for mapping and controlling supply chain risks for products and services from countries with an ofensive cyber programme
Image: ©AIVD / AIVD

To assist these organizations, the General Intelligence and Security Service (AIVD), Chief Information Office Rijk (CIO Rijk), National Cyber Security Center NCSC and National Coordinator for Counterterrorism and Security (NCTV) have developed the Cybercheck: a guide that helps to identify potential supply chain risks resulting from the use of products and services originating from countries with an offensive cyber programme.

An app on a smartphone, the use of surveillance cameras, or routers and switches; in recent years, increasing awareness has been given to the risks presented by products and services from countries with an offensive cyber program targeting Dutch interests. Certain countries can, through their legislation, oblige companies and citizens to cooperate, for instance, by forcing them to incorporate ‘digital backdoors’ in their products or services. These backdoors could grant these countries unauthorized access to (parts of) the technical infrastructure of an organization using these  products or services. For example, if this  results in an incident in organizations that support vital processes, it could not only impact the organization, but also, possibly, the national security of the Netherlands.

Recommendations

Identifying and managing supply chain risks is essential for the secure, digital functioning of both organizations and Dutch society. The Cybercheck provides tools to help assess whether the use of a specific product or service from a country with an offensive cyber program might lead to an increased security risk. If that’s the case, the advice is to conduct an additional risk analysis. The Cybercheck also offers guidelines for how to conduct this analysis. Using the results of this supplementary risk analysis, organizations are able to  better investigate heightened security risks originating from the use of a product or service.

Own Responsibility

The Cybercheck is a tool; the guide makes no representations about whether the products and services should or should not be used by organizations. The management of an organization is ultimately responsible for making decisions about the utilization of products and services from countries with an offensive cyber programme.