 So today, Bob is going to explore the motivation and the current status of the MITRE system of trust initiative. So warm welcome from the open group please for Bob Martin from MITRE. Over to you, Bob. Thank you, Steve. And thanks, Andras. You gave a great opening to many of the topics I'll be covering. What I'm going to talk about today is an effort that MITRE has been putting together. We've been involved in different aspects of supply chain security for decades. But as I'll talk about, we've done it in little pockets of expertise for different customers on different projects for different reasons. And I think that is reflective of a lot of enterprises and bringing that together so that we can actually talk better together and more cleanly align our concerns and interests is really the point of this talk. When we talk about supply chain security, we definitely need to make sure we don't just fixate on intentional harm. Definitely counterfeit, whether it be hardware or software is something we really want to pay attention to malicious taint or insertion. Definitely something a lot of people are worried about, but we also need to make sure that the poor quality, the carelessly tainted hardware and software or actual vulnerable items is also covered. Because we really need to have confidence in products and services and those that supply it across these different realms. So when we look at physical supply, you know, we look at how products are actually delivered. Here we're looking at air air freight, but you can also look at sea freight, sorry. And what I think everyone here knows, kind of in the back of their head that more and more things come more and more quickly. And that's partly because the shipping industry has tremendously increased the size of the carrying capacity of ships. If you look from the 60s and 70s up through now, there's a huge increase in how many, you know, 20 by 20 carry, you know, carriages that they can carry, which is reflective of what you can buy off of Amazon today. So when we think about supply chain security, we need to make sure we don't lose the grounding in traditional logistics management and the kinds of issues that have been going on for decades. And the reciprocal of that, the purchasing, the buying, the acquiring of those goods. But as we talked about in the last session, ICT aspects of things have gone up and up. So more of the things we buy and install have software, have networking capability, reach back, get updates. So how we bring things in, how we operate them, getting people trained in the overall risk management in our organization is a huge part of this. And then of course, because they are now being put on our networks, they're interacting with other systems, the whole cyber risk management of your enterprise and your insight into your suppliers is also a big part of it. But there's also some things that are unique. And, you know, addressing the fact that software enabled things have different kinds of risks than your traditional supplies is something many managers have had a hard time getting an understanding of. They were well on top of their risk management of suppliers until those suppliers were delivering goods that actually, you know, interacted with their networks and brought risks. So all of these are part of the background. So whether you're buying commercial office shelf or high value items, there's all kinds of examples of the supply chain bringing risks to enterprises where the kind of due diligence. That many would have expected weren't there, whether you're outsourcing services or you're, you know, accidentally buying counterfeit and counterfeit can be hardware or software. And so all of these are part of this picture, including just software itself because today we don't build software from the ground up. We assemble it, we bring in libraries and frameworks. In fact, the most current example is something called ripple 20 where a very, very commonly used set of libraries have a whole parcel of vulnerabilities. And the trouble is, it's so ubiquitous people can't get a handle on which of their products are affected and who's going to update it when. So this is all a background that these different areas really get into the discussion of trust and trustworthiness. But on top of them, we also have to worry about sole source. There's the researchers out there, the buyers. And what it really comes down to is today, we talk past each other quite often. We don't actually recognize the same perception about the issues that need to be communicated and given assurance about. And so it's this context that the miter work is coming into play. So, as I said earlier, mighters been doing a lot of work in this area for a long time. But when you step back and look at it. It looks very chaotic because it uses different terminology, different scope, different abstraction. So one part of what we're doing is trying to bring some alignment and organization out of that chaos. We're trying to use industry standards, harmonize community norms, and also make sure we're not fixated on any one particular aspect. So whether it's geopolitical risk from where something is sourced, or technological risk about, you know, how something is developed and implemented. All of these are going to be part of the system of trust. If we were totally successful in doing that, we'd still fail because now we would have such a daunting, you know, kind of landscape of issues to be addressed that nobody could ever approach it and actually make decisions. So another part of what we're doing is making it's a way to simplify tailor and bring into the context of what you're trying to do so that you don't get lost in the details. So this is basically our key value propositions. We're going to have broad breadth consistency, make sure we integrate all these things, bring in the contextual part to let you tailoring. We also want to make sure that innovative, very cutting edge approaches or nuanced ways of looking at things fit in so the extensibility. And we want to make sure that, you know, the commercial offerings out there for giving insight into some of these concern areas fit into this approach. So what is the basis of trust when you are an organization? Now, I can trust you, Steve, but how do I trust an organization? It's not based on personal history. So we've divided into three aspects. The supplies, the suppliers and the services we call those are aspects of trust. And what's keeping you from trusting the supplier? Well, it's concerns. So I may be concerned about their influence to external organizations, whether that be a nation state or in the industry where you may be worried that your competitor is going to have influence over your supplier. And critical goods are short that your supplier is going to, you know, basically divert things you need to someone else organizational stature. Where are they? Where are they? They're critical capabilities and what kinds of risks would that distributed nature of the organization possibly flow down to you as a purchaser? Are they financially stable next? You know, you make a great decision on suppliers. But two months later, they're, you know, on the rocks and cutting corners and no longer is the quality what you chose them for. Are they malicious? You know, are they just out for a fast buck or are they a honest broker good partner? Again, organizational security, if all the others were great, but they're sloppy and they're securing of their networks and their capabilities, they could just be an attack vector to you where they someone gets into your organization through them. Do they have an improving process, a quality culture and susceptibility is something where are they so focused in a small niche that their obvious target for anyone who wants to go after those customers? Or do they acknowledge that they are a specialized group and they know that they're going to be an avenue attack to their customers? So right now that's where we have our top level concerns for suppliers and supplies. It really comes down to three. Hygiene, counterfeit and taint. So taint, whether it will be malicious or not counterfeit, whether it's that they carelessly pull supplies from someone who provides counterfeit or they in fact are offering counterfeit and hygiene. Do they have good practice and normal business practices of good hygiene and good manufacturing, whether it's hardware or software and the like. And then in services, this is an area where we're actually looking to some recent work out of the open group to improve this where, you know, it's not just physical and remote access but there's a lot more nuances. So this is still a work in progress. And when you sit and look at these concerns, you just don't say, oh my God, I've got concerns. You actually go in and investigate them. So there's lots of sources of information, whether it's open source, whether it's asking questions, whether it's getting samples and reviewing them. Just lots of ways you can kind of come down to is that concern valid or not, and therefore understand your position with that supplier, that item of supply or a service. So let me just dig into one of them to give you a little more detail. So I'm going to look at suppliers and their internal influence, and I'm going to look at ownership. So, you know, basically digging now and well how do I get to that next level of understanding that concern. So here the key management personnel and non persons, do they have a relationship to countries of concern. This is something obviously for many organizations, especially in the government, they've been asked to look at that. And so what we've offered up is simple, yes no questions that probe into that and while I say they're simple, making something like this and yes no question takes a lot of understanding about this risk area, and getting the question to actually have that intelligence about the subject matter in the question so that you don't end up with a question that then takes an expert to analyze the answer. So here's examples of six of these, each of which can be answered either because you go and ask the question, or because you investigate them. So, this is just one example, but in putting these detailed questions together, we're also trying to understand what does it take to actually work with that answer, or to get that answer. Does it cause cost money or cost technology. Do you even have a legal right or ability to answer or ask that. How long would that information be useful, and how easy is it to misdirect. All these things are going to help us tailor the system of trust based on that and other kinds of information. So, sorry. If you look at our overall arching kind of knowledge map here. Lots of different areas, and I'm not going to try to, you know, bring you through all these. But the idea is, we want to have it a balanced look at concerns. You may focus on one or the other, but, you know, getting the vocabulary, getting the discussion onto a single sheet of paper as it were, so that people stop talking past each other, or only fixate on a part of the problem is where we're going so in the deck, you'll find some of the sources we're using. You'll find a bunch from the open group, as well as some from the it sector courting council, and lots of good things here. I'm not going to, you know, go into those in detail, but we also have offered, as we have done in many of our community efforts in the past. Anyone who wants can offer up without revealing who they are insights, if they want to contribute them under what we call a unilateral NDA. Basically, the organization is offering us material to help build out the system of trust. And, you know, we'll do that anonymously, so that their insights can be shared. So talked about the vocabulary, the taxonomy. There's actually a data model behind this. And there's actually a tooling tech, you know, stack also behind it. But that tooling mostly is for us as we build this. So we want to come up with a shared picture of these concerns so that people can not start with a blank sheet of paper, but also they can map it to different efforts and different organizations. We also within MITRE and our customers want to convert shared picture of this so that when any customer in MITRE asks, you know, for us to investigate something, we know we're applying the best practice open industry and within MITRE. And the last area is we also want to support those who are making decisions to actually have a way of doing that. And in support of that, we actually will allow for bringing a spreadsheet version of this, because if you start answering those questions, you're quickly going to have a spread a document that you need to control and, you know, keep confidential to yourself. So the idea would be that this whole body of work could be exported into a spreadsheet, which you could then use to answer and then do all kinds of analytics and analysis. So that that's basically the nub of it. But as I said earlier, this could be very overwhelming. So we're looking at profiles that would if you're starting to try to use a system of trust to make choices and make decisions, we would offer something like this where you identify what kind of acquisition you're trying to decide on what kind of organization are you, which may or may not bring in mandatory or, you know, take things off the table. So what kinds of skills and means do you have, can you actually ask questions, will you actually entertain oral discussions with the supplier, will you get samples and so that you can actually do a hands on analysis, often you won't. So that would really change the scope of the assessment. And what kind of period of time and resources are you talking about. So with this kind of, you know, kind of focus, we would then offer up if there are any showstoppers given the scope you've chosen. Are there issues and questions that if the answer was, you know, you know, yep, that risk is there, you'd be done. So I don't know if these are the right ones, but basically, you know, in some organizations, any one of these questions, if answered in the wrong way. That supplier or that item of supply, you know, maybe out of question, they may not be able to go further. So rather than worry about these kinds of questions being buried deep in some hierarchy and being watered down. We think we're going to start with them. And if these aren't, you know, triggered, then go deep into the actual overall questioning. So the idea would be going back to the example I had before, you know, going through answering these questions. Many of these, as I said, could be, you know, linked to data sources, either done in Bradstreet moody's or some others. So not all of these will need to be answered by a person on their own, but they can make use of that those analytics and services that are out there. So bottom line, we think that we'll end up with something like this, where those different concern areas will end up with, you know, really high risk or little risk. Here, higher numbers are riskier. So the one on the right seems at least on the outside to have less risk, whether that totally maps to your concerns for the, you know, use in your enterprise. That's something we're hoping our community will grow to maturity to be able to apply. So there is an article out at the cutter consortium that really covers a lot of what I just talked about. And if you follow the link below, it'll ask you to register, but it's not mandatory. So you can get a copy of this and the details. It talks about the last step in our assessment, which is piloting. And so we're going to be doing some pilots in the next month, where we apply this to different kinds of acquisitions, different situations to see if this method seems to work and to open the door to the next step, which is to try it with even more communities. So we're hoping that this will bring a consistent approach, and that we'll have something that people can use in the deck. I've also got details on these different use cases, but I'm not going to go through them right now. But they're there for your reading. And with that, I thank you and take the next part of our discussion. Well, thanks very much. That was a whistle stop tour of clearly a lot of words going into this. So the just to clarify the intent is that this would be available to anyone who wants to use it or are there. Requirements. That's what I took from it. So what I'm hoping is that we'll be able to work the overall structure of this and talk with lots of people, align it, get it to make sense to as many communities as we can. Basically to distill some of the terminology and disconnects and scoping and focus disconnects that are just continuously getting in the way of making informed decisions. Yeah, absolutely. Okay, well, as you know, we'd be keen to help at the open group. So bear bear bear that in mind. I know you're you're a regular participant. So don't we don't have much time for questions, Bob. But, but let me start with this one. Is there is there not a sustainability piece to risk these days. I if the supply is not operating sustainably, they may not be able to operate in the longer term. Totally understand that as a new area. Right now, the material we've collected gets into that in financial stability and understanding their supply chain. I expect that to get richer as people give us feedback. But yes, sustainability is definitely a discussion area. It's been brought into sharp focus by the last 12 months or so. Right. Right. Another question how successful. Let's see how successful is it to use the software composition analysis in identifying security issues in third party software components, libraries, etc. I think that it runs the gamut. Some of the software composition analysis capabilities are very rich in understanding third party, especially open source components. I mean, they actually study the open repositories, understand how they evolved over years, compile them into different binary representations so they can recognize them fairly accurately. Well, some others are a little less mature, but that whole area of understanding your software supply chain and understanding what has been used inside your software and the software you had is a huge area. I'm actually very involved in a software below materials as a way of giving a technical handle on that, but it's not a panacea. Understood. Last question, Bob, do you see this resulting in some kind of supplier tiering or supplier score within an organization, for example? Well, I think that happens today. And what I'm hoping is, given a consistent backdrop of issues, concerns that there'll be more, those sorting will be more rational and consistent. And so the message to the market, no matter which, you know, supply chain you're in will be more consistent. Because today I think you have that happening, but under, you know, why they get ranked low and how they get better depends on which supply chain they're in and what the other practitioners are doing. Whereas if we're successful, there'll be more consistency in the messaging about what are concerning issues and how do you address them? Well, thank you very much. I love the graphic, the cartoon of yourself. It's like you're on the screen for real. The artist did it at RSA a couple of years ago. Well, it's great. It's nice and personal. And Bob, thank you for your insight and thank you for sharing what you're up to and keep safe. Thanks for the opportunity and same to you and yours.