What are the Principles?
As I outlined in an earlier post, Critical Technologies are those new or niche technologies which will confer a competitive advantage for Australia into the 21st Century.
On 15 November 2021, the Department of Home Affairs published the final version of the Critical Technologies Supply Chain Principles, after approximately one year’s public consultation. These principles come off the back of similar efforts in the USA, UK, New Zealand and other countries, all of which recognise the risks associated with Supply Chain Integrity and Security (SCIS).
Importantly, supply chain integrity and security is applicable to all industries, not just critical infrastructure operators (covered under the Security of Critical Infrastructure Act, or SOCI and its subsequent amendment, SLACI) or those industries involved in Critical Technologies. AgriFutures Australia published its study entitled ‘Product fraud: Impacts on Australian agriculture, fisheries and forestry industries‘ in late 2021, is a prime illustration of this (I will take a look at this report later).
Relevant Definitions
- Foreign Ownership, Control and Influence (FOCI): A company is considered to be operating under FOCI whenever a foreign interest has the power, direct or indirect, whether or not exercised, and whether or not exercisable, to direct or decide matters affecting the management or operations of that company in a manner which may result in unauthorised access to sensitive operational information / confidential information or may affect adversely the performance of contracts in Australia’s national interest (adapted from US Government DCSA). Whilst this language originated in the U.S., it also is used by Australia’s Foreign Investments Review Board (see here) as well as Defence.
- Supply Chain Integrity: “a set of policies, procedures, and technologies used to provide visibility and traceability of products within the supply chain. This is done to minimize the end-user’s exposure to adulterated, economically motivated adulteration, counterfeit, falsified, or misbranded products or materials, or those which have been stolen or diverted” (United States Pharmacopeial Convention)
- Supply Chain Security: activities aim to enhance the security of the supply chain or value chain, the transport and logistics systems for the world’s cargo and to “facilitate legitimate trade” (Government of Canada)
- Product protection: the collection of programs, internal controls and security countermeasures designed and deployed to protect tangible and digital products against fraud, security and integrity threats in the supply chain and marketplace. This includes Anti-Piracy, Anti-Counterfeiting, Track and Trace, and Product Authentication measures (Curwell, 2022).
The Critical Technologies Supply Chain Principles establish 10 ‘agreed principles’ generally applicable to brand integrity, supply chain integrity, and product protection in any Australian industry:
| Agreed Pillars | Agreed Principles |
| A. Security by design Security should be a core component of critical technologies. Organisations should ensure they are making decisions that build in security from the ground up. | 1. Understand what needs to be protected, why it needs to be protected and how it can be protected. 2. Understand the different security risks posed by your supply chain. 3. Build security considerations into all organisational processes, including into contracting processes, that are proportionate to the level of risk (and encourage suppliers to do the same). 4. Raise awareness of and promote security within your supply chain. |
| B. Transparency Transparency of technology supply chains is critical, both from a business perspective and from a national security perspective. | 5. Know who your critical suppliers are and build an understanding of their security measures 6. Set and communicate minimum transparency requirements consistent with existing standards and international benchmarks for your suppliers and encourage continuous improvement. 7. Encourage suppliers to understand and be transparent in the depth of their supply chains, and provide this information to customers. |
| C. Autonomy and Integrity Knowing that suppliers demonstrate integrity and are acting autonomously is fundamental to securing your supply chain. | 8. Seek and consider the available advice and guidance on influence of foreign governments on suppliers and seek to ensure they operate with appropriate levels of autonomy. 9. Consider if suppliers operate ethically, with integrity, and consistently with international law and human rights. 10. Build strategic partnering relationships with critical suppliers. |
Businesses looking to uplift their supply chain and third party risk management practices would do well to incorporate these principles into their policies, supported by a robust framework to faciliate implementation. So what might such a framework look like exactly?
How do the Principles relate to other standards and guidelines?
The Critical Technology Supply Chain Principles are useful as a starting point for businesses which haven’t really focused on this area before when developing their policies or supply chain risk management programs. In my day to day interactions across many industries, whilst domains like cybersecurity are very mature, supply chain risk management is something many businesses have largely overlooked for decades, despite our status as an island nation.
So, if the Principles provide high level guidance, how much similarity is there between them and other commonly cited standards or guidelines focused on developing more holistic programs? And which, if any, standards might be best used by Australian businesses to compliment the Principles when building their programs to manage supply chain risk? The following table compares the principles against three main guidelines used in this area:
| CTSCP | ISO 28000 Supply Chain Security Management | SOCI Rules | APRA CPS231 Outsourcing | ANSI/ASIS SCRM.1-2014 | |
| 1. Identify critical assets & protection requirements | Existing | Not yet finalised | Indirectly | Yes | |
| 2. Identify risks | Existing | Not yet finalised | Yes | Yes | |
| 3. Design in security | Partial – focus on supply chain, not product protection | Not yet finalised | Yes | Yes | |
| 4. Raise awareness | Not directly addressed | Not yet finalised | Not directly addressed | Yes – using ISO31000 principles | |
| 5. Know Your Suppliers & assess their security | Yes | Not yet finalised | Partial | Yes | |
| 6. Work with suppliers to increase transparency | Partial | Not yet finalised | No | Yes | |
| 7. Encourage suppliers to map and understand extended supply chains | Indirectly | Not yet finalised | No | Yes | |
| 8. Consider foreign interference risks to suppliers | Indirectly | Not yet finalised | Not directly addressed | Not directly addressed | |
| 9. Consider supplier ESG* & Integrity risks | Not directly addressed | Not yet finalised | Yes | Yes | |
| 10. Build partnerships with key suppliers | Yes | Not yet finalised | Yes | Yes |
*ESG risks: refer to the collection of Environmental, Social and Governance risks faced by public and private sector organisations today. For those new to ESG, this article from MSCI provides a useful introduction. ESG risks include Modern Slavery – see here for my previous post on Modern Slavery, Human Trafficking & People Smuggling (part 1)? and here for How should I perform due diligence to comply with Australia’s Modern Slavery Act 2018 (part 2)?
As you can see from the above table, ANSI/ASIS SCRM.1-2014. Supply Chain Risk Management Standard: A compilation of best practices is one of the more comprehensive references for any business looking to build or enhance its supply chain risk management program. Additionally, note that the Critical Technologies Supply Chain Principles introduces a range of new measures not previously. Managing these risks likely requires new skills for many security practitioners (both cybersecurity and protective security disciplines).
What might implementation and adoption challenges look like?
One observation from me is the interdisciplinary or converged nature of legislation and government policy relating to risk and security that started to emerge with the introduction of the SOCI Act in 2018. There is an increasing emphasis on integrated, enterprise-wide programs which remove the traditional silos that existed between protective security, cyber security and fraud / financial crime, risk and compliance, procurement and operations. Foreign Ownership, Control and Influence – traditionally the domain of Anti-Money Laundering / Counter Terrorist Financing and Trade Compliance – is one example.
Whilst all of these measures are positive and heading in the right direction given the complex threat environment we all now operate in, the question for me is how Australian businesses will respond to guidance such as the Principles and whether they will be embraced and enacted, particularly in Australian industries which have traditionally given their security-related concerns minimal priority. The protection of Australian Intellectual Property (beyond legal protections such as a patent or claiming copyright) is a prime example here. Hopefully our historical Australian attitudes and perceptions of a benign risk environment are evolving given increasing cyber attacks, frauds, and changing priorities for company directors and boards. Only time will tell.
Further reading
- ANSI/ASIS SCRM.1-2014. Supply Chain Risk Management Standard: A compilation of best practices, https://www.asisonline.org/publications–resources/standards–guidelines/scrm/
- APRA (2017). Prudential Standard CPS 231 Outsourcing, Australian Prudential Regulatory Authority, https://www.apra.gov.au/outsourcing
- Australian Government (2021). Blueprint for Critical Technologies, Critical Technologies Policy Coordination Office, 17 November 2021, https://www.pmc.gov.au/resource-centre/domestic-policy/blueprint-critical-technologies
- Australian Government (2021). The Action Plan for Critical Technologies, Critical Technologies Policy Coordination Office, 17 November 2021, https://www.pmc.gov.au/resource-centre/domestic-policy/action-plan-critical-technologies
- Australian Government (2021). Critical Technology Supply Chain Principles, Department of Home Affairs, https://www.homeaffairs.gov.au/cyber-security-subsite/files/critical-technology-supply-chain-principles.pdf
- Curwell, P. (2021). Modern Slavery, Human Trafficking & People Smuggling? (Part I), https://paulcurwell.com/2021/04/30/modern-slavery-human-trafficking-people-smuggling-part-i/
- Curwell, P. (2021). How should I perform due diligence to comply with Australia’s Modern Slavery Act 2018 (part 2)?, https://paulcurwell.com/2021/06/27/how-should-i-perform-due-diligence-to-comply-with-australias-modern-slavery-act-2018-cth-part-2/
- Curwell, P. (2022). Australia’s Critical Technology and Supply Chain Principles (part 1)
- ISO28001. Security management systems for the supply chain — Best practices for implementing supply chain security, assessments and plans — Requirements and guidance
- MSCI (n.d). ESG 101: What is Environmental, Social and Governance?, https://www.msci.com/esg-101-what-is-esg
- Smith, M., Ashraf, M., Austin, C., Lester, R. (2021). Product fraud: Impacts on Australian agriculture, fisheries and forestry industries, AgriFutures Australia, https://www.agrifutures.com.au/product/product-fraud-impacts-on-australian-agriculture-fisheries-and-forestry-industry/
DISCLAIMER: All information presented on paulcurwell.com is intended for general information purposes only. The content of paulcurwell.com should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon paulcurwell.com is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.