A Shared Language for Supply Chain Security

Geoff Wilkerson, OTTF Chair & Product Security Engineer, Seagate Technology

If a lion could talk, we wouldn’t be able to understand it.” – Ludwig Wittgenstein, 1953

The above quote from the book Philosophical Investigations is one of my favorites. It’s an evocative thought experiment that tends to resonate with people who work in fields requiring the communication or transmission of complex ideas. What did Ludwig mean by this statement, and how in the world is it relevant to technological security? Both good questions! Let’s take a shot at both.

The short response to the first inquiry is that Wittgenstein was talking about context. Even if a lion were to acquire the ability to utter human language, he theorized that the life of a lion is so alien to ours that we would be unable to parse any meaning from whatever combination of words it may have for us. Think of this in another way. Have you ever overheard a hobbyist or enthusiast discuss their shared passion with another, and find yourself unable to understand what they are talking about, even though the individual words are familiar to you? For myself, I recently listened to two young people going on at length about a particular genre of video game that they both enjoy. Every word was known to me, but I couldn’t tell you what they were talking about in the slightest!

In the world of technology, there are paradigms of language that arise organically and artificially over time. Necessity requires a shared mode of communication for ideas and as a result, descriptors, nouns, and technical designators are created and shared. The problem arises when certain words acquire a surfeit of meaning, so much so that they paradoxically become less meaningful. There are many examples of this but for our purposes, we’re going to look at “Supply Chain Security”.

Those three words used in conjunction with one another can, depending on whom you ask, conjure widely differing meanings. Someone in logistics may imagine a line of optimal transport on a map and the corresponding security measures to protect the integrity of cargo. A professional in corporate security could picture a site location and the necessary physical security practices to secure it, or sectors inside it. A product engineer may envision a series of risks related to logic-bearing components contained within a BOM. An HR manager might immediately think of the risk posed by bad actors, who could be working against the interests of their employers. All of these, and many more, are valid interpretations. So how do we, as responsible product creators, communicate with one another on this topic?

In the last several years, it has become very commonplace for organizations to actively solicit feedback from their vendors regarding security best practices relative to technology products. Customers want to know that the products they purchase have been designed and built with security in mind. This is to be commended. It does, however, create a challenge for manufacturers. With each customer creating their own set of parameters and definitions for what constitutes supply chain security, manufacturers can find themselves spending more and more time and resources simply trying to communicate their security posture. Some inquiries can be high level and qualitative, looking for a security narrative that can be easily understood. Others can be comprehensive and seek very specific technical details. And everything in between!

One solution to this potential inefficiency is the creation and adoption of a common supply chain security language, which provides both the context and the parameters necessary to foster effective and efficient communication. The Open Trusted Technology Provider™ Standard (O-TTPS, also known as ISO/IEC 20243) seeks to fill this role. It is the definitive method for product security attestation, mitigating risks of maliciously tainted and/or counterfeit components at every phase of the product lifecycle. With one set of requirements, we can break through the haze of ineffective and generalized terminology to find a concrete foundation for security collaboration. It is the context that enables creators of technology products to stop talking past one another and engage in meaningful dialog.

At Seagate, the adoption of the O-TTPS as our flagship product lifecycle standard has yielded numerous benefits. The ability to concisely communicate a standard set of tech development and supply chain best practices has greatly aided our efforts toward “de-siloing” security throughout our diverse product development and support processes. This alignment increases transparency, makes accountability easier to establish, and has the added benefit of serving as a sort of instruction manual for our own suppliers. When we began this effort, we weren’t sure what sort of response we’d get when relaying these requirements to our business partners. We’ve been pleasantly surprised by the warm reception. In our experience, most organizations want to do the right thing regarding security—the missing element often seems to be the how. When suppliers learn of the standard’s utility and that it can cover the entirety of the product life cycle, they tend to express strong support for it as a practical method for establishing security norms.

We believe that the O-TTPS has a central role to play in an emerging consensus for product security. There is simply no other standard out there that addresses these particular risks. As the roster of certified organizations grows, it is my hope that the best practices contained within it can form the basis for meaningful exchange and lasting improvements to our security postures.

Geoff Wilkerson is Chair of The Open Group Trusted Technology Forum (OTTF) and a member of the Product Security Office at Seagate Technology, where his primary focus is security compliance and managing product certifications. Geoff’s background is in project management, information security, and supply chain security. A member of the OTTF for several years, Geoff was one of the earliest advocates for Seagate to champion the use of the O-TTPS as a product lifecycle standard. Geoff lives in Oklahoma City with his wife and three children.