UN Cyber Norm I | Ensure supply chain security

States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions.

What is it about?

Norm (i) is about ensuring the integrity and security of the ICT supply chain to promote confidence and trust among end users. It involves preventing the proliferation of malicious ICT tools and hidden harmful functions, contributing to a secure, stable, and accessible ICT environment. By focusing on these areas, the norm aims to enhance international security, support digital and economic development, and foster an open and trustworthy ICT ecosystem.

Why is it relevant?

Global ICT supply chains are extensive, increasingly complex and

interdependent, and involve many different parties.The relevance of this norm today also stems from the interconnectedness of global ICT systems, the evolving nature of cyber threats, and the imperative to maintain trust and security in digital interactions.

How is it implemented?

In accordance with the clarification provided in the UN GGE 2021 report, to effectively implement the norm, reasonable steps include:

Establishing frameworks for supply chain risk management at the national level: This includes putting in place at the national level comprehensive, transparent, objective and impartial frameworks and mechanisms for supply chain risk management, consistent with a state’s international obligations. Such frameworks may include risk assessments that take into account a variety of factors, including the benefits and risks of new technologies.
Adopting good practices for supply chain risk management: This includes establishing policies and programmes to objectively promote the adoption of good practices by suppliers and vendors of ICT equipment and systems in order to build international confidence in the integrity and security of ICT products and services, enhance quality and promote choice.
Promoting dialogue with other states and relevant actors to ensure fair competition: This implies increased attention in national policy and in dialogue with states and relevant actors at the UN and other fora on how to ensure all states can compete and innovate on an equal footing, so as to enable the full realisation of ICTs to increase global social and economic development and contribute to the maintenance of international peace and security, while also safeguarding national security and the public interest.
Developing globally interoperable common rules and standards for supply chain security: This includes cooperative measures such as exchanges of good practices at the bilateral, regional and multilateral levels on supply chain risk management; developing and implementing globally interoperable common rules and standards for supply chain security; and other approaches aimed at decreasing supply chain vulnerabilities.
Preventing the development and proliferation of malicious ICT tools and techniques and the use of harmful hidden functionalities, including backdoors: States can consider putting in place at the national level measures to enhance the integrity of the supply chain, including by requiring ICT vendors to incorporate safety and security in the design, development and throughout the lifecycle of ICT products.
Establishing certifications: States may also consider establishing independent and impartial certification processes.
Enhancing the data protection and privacy: States can consider putting in place at the national level legislative and other safeguards that enhance the protection of data and privacy.
Prohibiting harmful hidden functions and exploitation of ICT vulnerabilities: States can consider putting in place at the national level measures that prohibit the introduction of harmful hidden functions and the exploitation of vulnerabilities in ICT products that may compromise the confidentiality, integrity and availability of systems and networks, including in critical infrastructure.

For further information on non-state actors’ implementation of this norm, please check the Geneva Manual on Responsible Behaviour in Cyberspace.

Who are the main actors?

Despite the fact that norm address responsible state behaviour and targets UN Member States, there are additional actors who could play a role in the implementation of the norm:

International and regional organisations (e.g., OSCE, ASEAN, African Union etc.), which could be specifically helpful to developing globally interoperable common rules and standards for supply chain security as well as common approaches to address the risks associated with the exploitation of ICT vulnerabilities.
International standards organisations (e.g., ISO and IEC) which could be helpful to develop and promote global cybersecurity standards for managing supply chain risks and, at the same time, enhancing the security of ICTs.
Non-state stakeholders, such as the private sector who manufacturers and supplies ICTs and are directly responsible for their security.
Non-state stakeholders, such as civil society organisations who can help advocate for consumer protection and privacy, provide input on policy development, and raise awareness about cybersecurity issues.
Non-state stakeholders such as consumers and end-users also have a role to play in the implementation of the norm by demanding secure and trustworthy ICT products, and influencing market behaviours through purchasing decisions.

Where is it discussed?

The UN Open-ended working group (OEWG) remains the one and only process where all UN Member States discuss the implementation of the agreed norms, including this norm, on a regular basis.

States implement these norms domestically, including through adopting acts and policies at a national level, and may also engage in regional cooperation to enhance cybersecurity. Coordination between states at the level of their competent national authorities can also help operationalise the norm, i.e. by developing common approaches to addressing a lack of interoperable rules and standards for supply chain security; development and proliferation of malicious ICT tools and techniques; the use of harmful hidden functionalities, including backdoors.

Discussions within international standardisation bodies such as International Organization for Standardization (ISO) or Institute of Electrical and Electronics Engineers (IEEE) also help implement the norms since they bring various stakeholders from different countries to develop international standards for information security management, including supply chain risk management.

Public-private partnerships at a national or regional level also serve an important platform for a dialogue between state and relevant non-state stakeholders to discuss the operationalisation of this norm and promote best practices and improve supply chain security.

Various multistakeholder and international initiatives (e.g. such as the Geneva Dialogue on Responsible Behaviour in Cyberspace and GFCE) serve as additional platforms for discussing the practical aspects of the norm implementation.