ICT供应链完整性：政府和企业政策的原则

ICT Supply Chain Integrity: Principles for Governmental and Corporate Policies

卡内基国际和平基金会于2019年10月发布报告《ICT供应链完整性:政府和企业政策的原则》。该报告是世界各地的政府官员,企业高级管理者以及政策、法律和技术专家进行深入研究和对话的结果,旨在满足合法的国家安全要求与保护数字经济和企业股权之间达成平衡。报告认为,网络空间的健康状况、国际数字经济和贸易系统的开放性以及主要国家关系的稳定性取决于人们对ICT/OT供应链完整性的信心。为提高供应链完整性,目前政府和企业正从技术、运营、商业、法律四个方面积极采取措施,但对于有意干预供应链的行为缺乏对策。为有效起见,相关的规则或义务应当以增强信任度、问责制、透明性和接受性为目标,以现有的国家和国际协约为基础,以确保采购安全、奖励合规和增强实施信心等措施为辅助。更广泛地讲,保护供应链的完整性不应仅仅被视为网络安全问题,还需要注重质量保证、产品和服务安全、防伪策略、技术许可和出口控制合规性以及客户信任度。

Carnegie Endowment for International Peace has issued a report named ICT Supply Chain Integrity:Principles for Governmental and Corporate Policies in October.The report is the culmination of in-depth research and dialogue with senior government,corporate officials,and policy,legal,and technical experts from around the world.It aims to strike a delicate balance between the fulfillment of legitimate national security requirements and the protection of the digital economy and corporate equities.The report articulates that in an increasingly digitized world,information and communication technologies(ICTs),and especially operational technologies(OTs),have assumed critical importance for governments,industry,and the general public worldwide.Yet trust in the integrity of these products and services are declining because of mounting concerns over inadvertent vulnerabilities in the supply chain and intentional backdoor interventions by state and corporate actors.Many worthy,promising initiatives are underway to enhance supply chain integrity.Yet these typically approach the challenge from four stovepiped perspectives:technical,operational,commercial,and/or legal.to be effective,these rules,or obligations,should aim to enhance trust,accountability,transparency,and receptivity.They should also be anchored in existing national and international arrangements and be accompanied by measures to secure buy-in,reward compliance,and increase confidence in their implementation.More broadly,protecting the integrity of the supply chain should not be viewed solely as a cybersecurity matter.Securing the supply chain also requires attention to quality assurance,product and service safety,counterfeit prevention strategies,technology licensing and export control compliance,and customer trust.