Govt develops principles to secure critical technology supply chains

The federal government has proposed a set of regulatory principles to help secure the supply chains of critical technologies like artificial intelligence and quantum computing in a bid to reduce vulnerabilities.

A discussion paper, released on Thursday, calls for comment on the Critical Technology Supply Chain Principles, which - like the recently introduced Internet of Things code of practice - will be voluntary for organisations.

Critical technologies are defined in the paper as “current and emerging technologies that have the capacity to significantly enhance or pose a risk to our national interest”, and can be both digital or non-digital like synthetic biology.

The principles are intended to serve as a toolkit for businesses and governments to “make decisions about their suppliers and transparency of their own products”, reduce “unforeseen threats” and ultimately build resilience.

Amid a rapidly changing global technological landscape and increasing malicious activity competition, the government said “organisations of all sizes need to trust their suppliers”, as well as understand why they are buying and any embodied risks”.

It also pointed to technology having become a “central element of geostrategic competition, with some states seeking to dominate critical and emerging technologies for strategic advantage”.

This is particularly problematic for Australia, which sources “many ... technological requirements" from overseas markets and "imports many technologies and components that we are not best placed to produce locally”.

“Improving how we manage vulnerabilities and security threats in technology supply chains will help protect against risk to national security, sovereignty and way of life,” the discussion paper [pdf] states.

“Managing the broad security considerations across the lifecycle of critical technological development and throughout the supply chain is one way to begin addressing these risks.”

A total of ten principles have been suggested across three pillars: security-by-design, transparency and autonomy and integrity, which align with advice previously released by the Australian Cyber Security Centre.

The government said the “suggested principles recognise that security should be a core component of critical technologies, should be built-in from the outset,” and should be accompanied by a “good understanding of who suppliers are”.

“These tools can [be] employed to lower their risks to unforeseen threats, which could lead to potential reputational damage from using insecure products, loss of IP or customer data or a loss of access to markets,” the paper states.

Businesses, as well as state and local governments, will be encouraged to apply the principles and “carry forward the expectation that those suppliers are doing the same”, while the federal government has committed to use them, including during procurement.

“By choosing to apply the suggested principles, government and businesses will be able to better adopt new critical technologies, buy or use products and services with greater confidence and securely realise their full benefits,” the paper states.

“Other potential benefits include improved supplier relationships, clearer expectations for suppliers, stronger customer confidence that results in a competitive edge and better resilience in times of crisis.”

Submissions to the consultation will close November 12.