Gov unveils principles to help secure critical technology supply chains

The federal government has unveiled a final set of regulatory principles aimed at helping businesses secure the supply chains of critical technologies like artificial intelligence and quantum computing.

The voluntary ‘critical technology supply chain principles’, released by the Department of Home Affairs on Monday, come a year after a set of principles were first proposed by the government.

The 10 principles are intended to be used to make decisions about suppliers and their products, reduce “unforeseen threats” when developing critical technologies and to build business resilience.

Critical technologies are defined as “current and emerging technologies with the capacity to significantly enhance or pose risk to our national interests” such as AI and quantum computing.

“Australia is a world leader in key areas of research such as advanced manufacturing, and Australian industry is keen to invest in emerging technologies,” Home Affairs said in a document. [pdf]

“However, overseas markets supply many of our technological requirements and Australia imports many technologies and components that we are not best placed to produce locally.

“To facilitate increased investment and resilience, we need to ensure enduring access to a diverse, secure and trustworthy supply of critical technologies.”

The principles, which have been slightly altered since they were first proposed to reflect industry feedback [pdf], are grouped under three pillars: security-by-design, transparency, and autonomy and integrity.

Agreed security-by-design principles include understanding what needs to be protected and how this can be done, and building security considerations into all organisational processes.

Home Affairs said adopting such principles would mean “customers do not need to have expert knowledge and that they are not unfairly transferred risk that they are not best placed to manage”.

Other agreed principles in the transparency and autonomy pillars include setting and communicating minimum transparency requirements and considering whether suppliers operate ethically.

Home Affairs has recommended that organisations apply the principles to their own operations and their direct suppliers as a first step, and “carry forward the expectation that those suppliers are doing the same”.

“By choosing to apply the principles, governments and businesses will be able to better adopt new critical technologies, buy or use products and services with greater confidence, and securely realise their full benefits,” it said.

“Other potential benefits include improved supplier relationships, clearer expectations for suppliers, stronger customer confidence that results in a competitive edge, and better resilience in times of crisis.”

Home Affairs Minister Karen Andrews said the principles will give businesses and consumers the confidence to take up, invest in and further develop critical emerging technologies.

“These principles come at a vital time – both for Australia and for our critical industries,” she said in a statement.

“We face unprecedented threats from a range of malicious cyber actors, growing geo-strategic uncertainty, and are increasingly reliant on technologies that can be hacked, held to ransom, or otherwise disrupted.”’

Andrews added that the federal government would “lead by example and use the principles in its own decision-making practices”.

The principles are intended to work alongside the cut-down version of the government’s Security Legislation Amendment (Critical Infrastructure) Bill, which is currently before the senate.

The bill is intended to rush in new cyber security incident response takeover powers for the Australian Signals Directorate, a move deeply unpopular amongst tech companies.