The Department of Defence is planning to build a proof-of-concept that will allow it to track the provenance of IT products using blockchain technology.
The department’s chief information office group expects to kick off the “discovery project” next month in a bid to secure its supplier ecosystem and reduce unforeseen security risks.
The three-month project will test if distributed ledger technology can “operationalise” a supply chain risk management (SCRM) framework and address two case studies.
A SCRM framework is essentially a register that uses metrics to score certain risks, allowing an organisation to determine the impact if that risk was to materialise and their preparedness.
One of the two case studies will test whether blockchain can be used to ascertain the provenance of IT products, while the other looks at volatile liquids like petroleum and oil.
A Defence document published last year indicates that the majority of the department’s procurements are currently from “untrusted suppliers and supply chains”.
It also states that the department places a lack of focus on the full “capability life cycle”, including not only the initial procurement perspective, but sustainment and disposal.
“Defence is not actively monitoring supply chain security risks/threats," the document states, adding that this leads to the “unknown provenance of products and services being used”.
In one instance, a laptop bought from a store was used on the Defence Protected Network, only to be found to contain a backdoor flaw introduced during manufacturing weeks later.
Defence puts the cost of remediating a compromise to its network at between $4 million and $5 million, though suggests this could be much higher depending on the extent of the breach.
The department would not comment directly on the particulars of the two blockchain proof of concepts or whether a SCRM framework had been developed.
Last year, initial operating capacity for a “commodity ICT SCRM” was slated for the 2020-21 financial year, followed by final operating capacity in 2022-23.
“Defence’s effort to bolster ICT system security through the adoption of sound supply chain processes and practices continues to develop and mature,” a spokesperson told iTnews.
“Logically, this may include exploring various options including consideration for the use of existing or emerging technologies.
“Defence does not provide direct comment on the specifics of its approach to cybersecurity.”
The department has invited one supplier to apply for the project through a brief on the Digital Marketplace.
But the brief is a mere formality, as Defence first approached the market through a similar brief last month, in which 12 sellers responded.