Supply Chain Security and Mutual Trust Research

Minitrack description

The National Strategy for Global Supply Chain Security identifies that international trade has been and continues to be a powerful engine for global economic growth. The many cybersecurity challenges facing governments and industries include one that many of us are unaware of – the serious threat posed by vulnerabilities in the cyber supply chain. Of the many components – including hardware, firmware, and software – that compose a technological product, most contain elements stemming from a broad global market, making it difficult, if not currently nearly impossible, to ascertain the complete security of an end product. With the market for technological goods and components continuing to rapidly grow every year, and with everything from missiles to smartphones relying on these information products, the need for mutual trust cyber supply chain security has never been more critical.

Enhancing the security of these technological supply chain must not destroy the well-functioning international market for technology. Instead of the two extremes of “intrusive government mandates” or “do nothing,” governments and non-governmental organizations are promoting development of private-sector systems for securing and accrediting technology companies that would allow customers to make more informed and risk-based decisions. This Mini-track solicits full papers that address the broad range of research topics in mutual trust, cybersecurity including the particular topics descried below (Section 5).

Minitrack history

The Supply Chain Security and Mutual Trust Research Minitrack is a Minitrack in its second year that builds on the success of previous Minitracks and associated tracks in other conferences that we have led.

Frederick Sheldon has led four successful HICSS Minitracks. The most recent one entitled “Supply Chain Security and Mutual Trust Research Minitrack” in 2017 and the previous “Information Security and Cyber Crime Minitrack” in 2012. The topics have followed a consistent progression from XML, to Semantic Web, Software Agents and Cyber Security/Information Intelligence. These Minitracks have brought renowned and highly cited researchers to the conference. For example, at HICSS-44 the Information Security and Cyber Crime Minitrack hosted 15 accepted papers (just under 50% acceptance rate) at least 130 (attended) during the full day of four sessions (there were zero no-shows).

We believe that these results benefited from the related annual Cybersecurity Symposium hosted by the University of Idaho and the annual Spring workshop (CISRC) held annually at ORNL on similar topics because we advertised this Minitrack as being the natural next step for publishing full papers extended from the research abstracts that are presented at the Cybersecurity Symposium and CSIIRC. All chairs (Chen, Sheldon and Abercrombie) have presented multiple papers at HICSS in previous years and bring their strong background to assist in making the Minitrack at HICSS-51 a successful experience for all participants.

Relationship to e-Government

E-Government is the brand label for a multidisciplinary research domain, which studies the use of information and technology in the context of public policy making (electronic governance, open government, and digital divide/s), government operations (transformation, management, organization, infrastructure, interoperability, security), citizen engagement (e-Participation, transparency, collaboration, and digital democracy), and government services (including using social media). Numerous disciplines contribute to this intersection of research such as computer science, information systems research, information science, political sciences, organizational sciences (public administration and business administration), sociology, and psychology among others.

Organizations of all types (business, academia, government, etc.) are facing risks resulting from their ever-increasing reliance on the information infrastructure. Decision and policy makers managing these risks are challenged by a lack of information intelligence concerning the risks and consequences of cyber events (e.g., Sarbanes-Oxley Act, HIPAA, and Gramm-Leach-Bliley ACT). They need to understand the implications of cyber security risks and solutions related to their information infrastructure and business. Risk management investment decisions, within the context of mutual trust among supply chains should involve: (i) a comprehensive approach to cyber security risk management, (ii) credible appropriate data needed to support intelligent decisions, and (iii) assessment of the impacts resulting from the various investment alternatives. Sound, rational IT/business decisions require a comprehensive understanding of the dynamics of information intelligence and the likely effects of cyber security investment choices.

Proposed technical area, including minitrack topics

As our dependence on the cyber infrastructure and their associated supply chains grow ever larger, more complex, and more distributed, the systems that compose them become more prone to failures and/or exploitation. Trusted Supply Chains value currency and relevance over detail and accuracy. Information explosion describes the pervasive abundance of (public/private) information and the effects of such. Gathering, analyzing, and making use of information constitutes a business- / sociopolitical- / military-intelligence gathering activity and ultimately poses significant advantages and liabilities to the survivability of "our" society. The combination of increased vulnerability, increased stakes and increased threats make supply chains and their associated processes one of the most important emerging challenges in the evolution of modern cyberspace "mechanization."

The goal of this minitrack is to challenge, establish and debate a far-reaching agenda that broadly and comprehensively outlines a strategy for mutual trust, cyber security, efficiency, and resilience of our vital global supply chain infrastructure research that is founded on sound principles and technologies, including:

• Promote the secure and efficient movement of goods by
• resolving threats early,
• improving verification and detection capabilities,
• enhancing security of infrastructure and conveyances in order to protect the supply chain, and
• maximizing the flow of legitimate trade.
• Foster a resilient supply chain by
• mitigating systemic vulnerability of supply chains and
• promoting trade resumption policies and practices.
• How can stakeholders provide assurance that my product is safe without revealing intellectual property (e.g., source code)?
• Is there a formal certification process and authority that can certify certain security properties exist in the product?
• What would constitute a trusted third party (TTP) certification body (e.g., charter, COI, goals, membership, participants, industry)?
• What would be the focus and benefits of the TTP (incentives, methods, technologies) and key outcomes (especially sponsors)?
• How would the TTP get industry buy-in and be distinguished from other (e.g., TCB, OWASP, etc.) existing bodies?
• Better precision in understanding existing and emerging vulnerabilities and threats.
• Advances in insider threat detection, deterrence, mitigation and elimination.
• Assuring security, survivability and dependability of our critical infrastructures.
• Assuring the availability of time-critical scalable secure systems, information provenance and security with privacy.
• Observable/ measurable/ certifiable security claims, rather than hypothesized causes.
• Methods that enable us to specify security requirements, formulate security claims, and certify security properties.
• Assurance against known and unknown (though perhaps pre-modeled) threats.
• Mission fulfillment, whether or not security violations have taken place (rather than chasing all violations indiscriminately).

We must shift our focus away from winning battles, towards a strategy for winning the war by elevating trust in the mission and its underlying supply chains dealing with critical infrastructures. At this Minitrack, we seek to address our goals; refine our strategy; establish collaborative opportunities; disseminate information about important developments, initiatives and interested groups; and identify measures of success. How can we focus our future efforts to maximize the success of our strategy to ensure our technologies can meet the challenge of cyber security and mutual trust within the context of supply chain(s)?

More information on the minitrack chairs:

Guenevere (Qian) Chen, Ph.D., is an Assistant Professor in the Engineering Technology Department at Savannah State University and recently a visiting Professor at Oak Ridge National Laboratory (ORNL). She is a member of IEEE and Phi Kappa Phi. She is the co-chair of the 7th International Workshop on Internet on Things: Privacy, Security and Trust (IoTPST 2017, previously MobiPST in conjunction with 26th International Conference on Computer Communication and Networks [ICCCN 2017])

Frederick Sheldon, Ph.D., is Professor and Department Chair, Department of Computer Science, University of Idaho. He is a senior member of the IEEE Computer and Reliability Societies, and member of ACM, Tau Beta Pi, Upsilon Pi Epsilon. He was the co-chair of the HICSS-50 (2017) Electronic Government Track Supply Chain Security and Mutual Trust Research Minitrack. He was the former chair of the Cyber Security and Information Intelligence Research Workshop held annually at ORNL.

Robert K. Abercrombie, Ph.D., is Vice President and Chief Technology Officer of Prime Time Computing, LLC and is Director, Cybernomics Laboratory, Center for Information Assurance, FedEx Institute of Technology, University of Memphis and was recently an Affiliated Research Professor, Department of Computer Science, University of Memphis. He is a senior member of the IEEE Computational Intelligence Society and senior member of ACM. He was the co-chair of the HICSS-50 (2017) Electronic Government Track Supply Chain Security and Mutual Trust Research Minitrack.

Endorsements

Guenevere (Qian) Chen is an Assistant Professor in the Engineering Technology Department at Savannah State University. Dr. Chen has both the infrastructure to support Minitrack chair activities and the full support of Savannah State University management for Minitrack chair responsibilities including travel and conference registration costs, as do Sheldon and Abercrombie at their respective institutions.