Digital trade, or the application of digital technologies to trade and supply chain processes, is an opportunity to drive efficiency, speed, and resilience for companies, industries and countries that rely on trade for growth. The pace of technological advancement, and the falling cost of computing power and storage, now make the benefits of digitally-enabled trade accessible to more parties than ever before.
However progress towards digital trade is slow – less than 5% of merchandise trade is digitalised by most estimates – with SMEs and the emerging markets relatively slower to adapt. Barriers to digital trade include the lack of an enabling policy environment, the proliferation of multiple digital trade practices and standards, as well as a lack of capacity and culture of data sharing. The ICC Digital Standards Initiative (DSI) was established to address these barriers.
Specifically this report is the outcome of the DSI’s Industry Advisory Board’s Trusted Technology Environment (TTE) working group, which was established in Spring 2022, to provide a perspective on how to create and maintain a technology environment that would facilitate trade digitalisation at scale. A particular focus was placed on issues of authentication, verification and security, with the caveat that the group would remain neutral with regard to the choice of technology and vendor/platform, and be inclusive of organisations regardless of their level of technological maturity.
In essence, transforming analogue supply chain and trade processes – represented by key trade documents – by the use of automated data transfer and sharing, the verification, authentication and protection of such data becomes paramount. Thus as DSI proposes alignment of digital standards for key trade documents (viz. the key trade documents and data environment working group), this report proposes to start the conversation about technology principles for the global digital trade ecosystem.
Trade transactions involve sometimes dozens of participants and roles along international supply chains. These parties undertake many interactions which frequently are documented in separate and security – encapsulated systems, resulting in digital islands, which often do not align to available data standards. Data transition between these ‘islands’ is mostly provided by using paper documentation or electronic paper substitutes. This makes end-to-end digitalising of all interactions between the participants in the execution of a trade transaction particularly challenging. It is aggravated by the often high number of parties involved in data exchange along trade processes.
Often, parties may invest in trade digitisation which retains conventional business processes but facilitated by electronic means. The goal of trade digitalisation is to reduce the friction or duplication of the information flow of data along the supply chain, by automating the data path in a secure way that crosses boundaries between entities and jurisdictions. Often called a digital twin, the data path in an international supply chain forms its own data-supply chain that modulates or facilitates the associated physical and financial supply chain. From a secure data transmission perspective, the important data supply chain boundaries are those that define trust-domains. Information (data) that can cross trust-domain
boundaries without losing its trustworthiness provides what we call transitive trust. Low friction transitive trust could be a primary enabler for automating secure international data supply chains and hence all supply chains that are reliant on information (data) as a facilitator.
To further the degree of automation, visibility, and manageability, among many other goals, business process chains should become interwoven between the systems of trading parties and their service providers. Breakpoints in the form of paper or papersubstitute ‘interfaces’ should be replaced by interfaces conveying data, preferably in realtime. However, this also requires replacing conventional trust mechanisms, like inksigned paper. In other words, digitising supply chains by using electronic signing of paper substitutes (i.e. PDF) with a semi-digital equivalent (i.e. DocuSign or Adobe Sign) will produce efficiency gains or labor saving, but not the gains in terms of trust, traceability or anti-fraud.
In short, every digital interaction in an international trade transaction should become verifiable, non-repudiable, retrotraceable, accountable and auditable for any required retention period.
Trust, in its traded semantic, should be established through verifiability. The overall conception should be developed around the “never trust, always verify” mantra, embodied by the counterintuitively labelled “Zero Trust Architecture” movement, which is rapidly growing within the cybersecurity industry. A new, verifiable digital layer beneath the information supply chain, which itself underpins the physical and financial supply chains, is required: the “trust supply chain”.
All interactions between two subjects of any country and a subject and an object (such as goods or containers) being part of a digital fabric would be supported by this trust layer, which would be abstracted and independent from any layer above. A trade asset created in system A and routed through system B and C, must be verifiable in system D to be reliably attributable to its original creator in system A.
A trust supply chain providing such “transitive trust” is a prerequisite for digitalising – as opposed to simply digitising supply chains and will provide means for weaving trusted end-to-end supply chain processes across organisational boundaries. Strong cryptography deployed in Public Key Infrastructures (PKI) is instrumental to achieving this goal.
Zero Trust Architecture, an architecture proposal/paradigm for building organisation’s future IT landscapes, will help lay further foundations, but also requires verifiable trust to provide for stringent and repetitive authentication and authorisation. Only the use of cryptographically produced verifiability will ensure that the multitude of parties in trade will be protected in a legally authoritative fashion along a chain of services.
An indispensable part of Zero Trust Architecture and the practice of cryptographically produced verifiability is the use of digital identity to secure, sign and authenticate data sets that document any transaction along the supply chain even as multiple borders are crossed. Basically, if parties rely on exchanged datasets in lieu of PDF and physical documents, these need to be signed and authenticated by the relevant parties, which can be achieved securely using digital ID.
Use of digital ID will also address the interoperability of authentication and authorisation as a key building block for the digital trade ecosystem. Digital identities will gradually replace conventional means of “signing off” on agreements and facts, which are exchanged in trade.
The Zero Trust Architecture1 paradigm will change application landscapes widely over the coming decade. Network perimeters like firewalls are already losing their relevance to protect ringfenced resources, as the trend to cloudification moves enterprise resources into serviced data centres. Roaming resources, as “rolling stock” equipped with internet of things (IoT) devices, further blur the lines between internal and external networked resources, as “rolling stock” can be delivery trucks where the smartwatch of a driver becomes an instrument to sign off on a Delivery Note, or a ship moored in a port communicating with the port’s infrastructure regarding its cargo.
Consequently, identity and access management functions in organisations will have to re-center their activity from rolebased access to application functionality to resource-centric access admission in a more dynamic style. Cloud computing is already asking for this and supply chains partners which adapt earlier will position themselves for advantage in the future.
The foregoing principles – the application of Zero Trust Architecture to enable cryptographically produced verifiability and the use of digital identity – will enable data sharing that is key to efficiency, traceability and accuracy along the supply chain. However there is one caveat.
Interoperability between systems and software instances is critical to avoid investments in trade digitalisation turning into sunk investments in digital silos or islands. Interoperability is to be achieved by standardisation conducted on multiple layers, whereby standardisation efforts usually overarch single layers. It starts on the technical infrastructure layer, continues on the data layer, to reach up to the service layer and further up to the legal layer.
Digital identity for instance requires standardisation on all these layers to become fully interoperable.
Suffice to say that interoperability of data – and alignment of parties data infrastructure and practices to established standards for data sharing along the supply chain – will allow digital trade to become the de facto practice at scale. The present concerns of data security, particularly related to data flow across borders, can all be addressed by aligning to the technology principles established herein, namely the use or application of:
- Zero Trust Architecture, backed by cryptographically produced verifiability
- Digital ID for all parties transacting
- Interoperabilty for all data, implying alignment with global standards where they exist
The TTE working group has prepared this paper to build on the knowledge and work of others in the field, in order to contribute to the task of digitalising global trade in a secure, trusted manner taking advantage of the technologies available today. It goes without saying that as technologies advance, the technology principles proposed and described herein may evolve and improve our understanding of verifiable trust in the emerging digital fabric of international trade.
Source: ICC DSI