Australian businesses should consider and seek guidance on the influence of foreign governments on their technology suppliers and ensure they operate with autonomy as part of the federal government’s new voluntary supply chain principles.
Home Affairs Minister Karen Andrews unveiled the Critical Technology Supply Chain principles on Monday morning, following consultation with industry and other stakeholders.
The set of 10 voluntary principles will assist Australian businesses to “securely and confidently adopt and develop critical technologies” such as artificial intelligence, quantum computing, blockchain and algorithmic automation, Ms Andrews said.
“These principles come at a vital time – both for Australia and for our critical industries. We face unprecedented threats from a range of malicious cyber actors, growing geo-strategic uncertainty and are increasingly reliant on technologies that can be hacked, held to ransom or otherwise disrupted,” Ms Andrews said in a statement.
“Alongside important legislation currently before the Senate to support and assist critical industries to confront cyber attacks, wide adoption of these new principles will safeguard Australia’s security and prosperity for years to come.”
The government itself has committed to sign on to the principles and adopt them in full.
“The Australian government will lead by example and use the principles in its own decision-making practices,” Ms Andrews said.
Included in the principles is for Australian businesses to seek and consider the available advice and guidance on the “influence of foreign governments on suppliers” and seek to ensure they operate with appropriate levels of autonomy.
The 10 principles in total are split into three “pillars”: security by design, transparency and autonomy and integrity.
On security, the government is recommending that it be understood what needs to be protected, why it does and how to do this, and to understand the different security risks posed by a company’s supply chains. Security considerations should also be built into all organisational processes, including contracting, and security should be promoted within the supply chain, the principles say.
On transparency, companies which sign onto the principles should know who their critical suppliers are and build an understanding of their security. They should also set and communicate minimum transparency requirements and encourage their suppliers to do the same.
The principles also state that companies should consider if their suppliers are operating ethically, and build strategic partnering relationships with them.
The principles will be entirely voluntary for companies, and the federal government has acknowledged that a number of companies supported making them mandatory instead, in the form of clear standards and regulatory frameworks.
“We also heard that making the principles mandatory could erode their usefulness to industry and limit flexibility. If the principles were to become mandatory, there should be evidence to support their measurements of success and a framework to report compliance,” a government discussion paper said.
This is about not putting an unnecessary burden on local businesses, Ms Andrews said.
“The Morrison government will always benefit, not burden industry. That’s why we’ve worked in close partnership with industry to co-design the principles, ensuring they are fit for purpose and meet industry’s needs,” she said.
The government said the new principles will complement reforms around critical infrastructure currently before Parliament. This new law has been split in two following a recommendation by the Parliamentary Joint Committee on Intelligence and Security, with new powers for the government to intervene as a “last resort” if a critical infrastructure company is subject to a cyber-attack and a significant expansion in the scope of companies covered by the laws to be passed urgently.
Do you know more? Contact James Riley via Email.