Cybersecurity in PCB Supply Chain

It’s a privilege to be sitting down with Didrik Bech, CEO of Elmatica, the world’s oldest PCB broker company and now part of the NCAB group and CAB group. Together we will dive into exciting topics surrounding cybersecurity, compliance, and supply chain and his upcoming presentation at IPC Apex. Didrik has some interesting insights on supply chain Cybersecurity management in the PCB design and manufacturing industry. Make sure to watch through the end and check out the additional resources below. This episode will be an insightful one! 

Listen to the Podcast:

Download this episode (right click and save)

Watch the video:

Show Highlights:

• Dedrick Bech introducing Elmatica 
  • World's oldest PCB broker
  • Recently acquired by the NCAB group
  • Securing PCBs for different partners in the PCB supply chain
• A quick summary of what was going to be in the IPC Apex paper that Dedrick is presenting
• Different levels of compliance and to what extent does this apply in the PCB design and manufacturing
  • Controlled Unclassified Information (UCI) 
  • Every country has a different view on it
• Two possible aspects of greater focus on compliance 
  • Intellectual property
  • Cybersecurity concerns
• How to get IT and compliance strategy come back and get implemented together 
• Data security awareness - some tips and practical steps 
• Is it worth it to invest for a data security software and team 
• More ways companies can do to help guarantee compliance and prevent data to be copied 
• Formalized packages for a high level of compliance - how deep does this have to go for small companies 
• Compliance and Cybersecurity differs from country to country and depending on: 
  • the company 
  • the country’s regulations
  • where the PCB is produced
• There is a room for improvement in creating some compliance hazards for designers 
  • Start with a good communication with the supply chain team
  • Gather data ahead of time
• Misconception about sharing data 
• Securing supply chain for large subcontractors 
• The importance of reading and understanding Defense Federal Acquisition Regulation Supplement (DFARS) regulation 
• AltiumLive Connect was successful! Watch the exclusive recorded sessions here
   

Links and Resources:

Connect with Didrik Bech on LinkedIn
Visit Elmatica’s Website here
National Institute of Standards and Technology
Defense Federal Acquisition Regulation Supplement (DFARS)
Watch AltiumLive 2022 Connect Recorded Sessions Here
ALTIMADE Design to Manufacture, Made Easy | Request Access Now
 

Full OnTrack Podcast Library
Altium Website
Download your Altium Designer Free Trial
Learn More about Altium enterprise solutions

Claim the special offer for Podcast listeners only

Transcript:

Didrik Bech:
You might have been developing a product for, I don't know, one year, five years, 10 years, 20 years. And you're putting it online. I mean, I just get scared by the thought. Maybe it's only me, but I think there's room for improvement in regard to specific IT strategies specifically for cybersecurity and sharing data.

Zach Peterson:
Hello everyone. I'm Zach Peterson and welcome to the Altium On Track podcast. Today, I'll be sitting down with Didrik Beck, CEO of Elmatica, which is now part of the NCAB group and CAB group. We're going to be talking all things about supply chain, his upcoming presentation at IPC Apex, and some other interesting topics surrounding cybersecurity and compliance, and I think it's going to be a very timely talk. Also, some very interesting insights that this guy has to tell all of us. So I'm excited. Keep watching, and have fun listening. Didrik, thank you so much for joining me today.

Didrik Bech:
Thank you for the very nice introduction, Zachariah.

Zach Peterson:
Absolutely. You can call me Zach too. Everybody tries to go for the full name, but Zach is fine.

Didrik Bech:
Okay, I will.

Zach Peterson:
It's the name I use in videos, anyways.

Didrik Bech:
Yeah.

Zach Peterson:
So when we were talking earlier, you had mentioned that you are presenting a paper at IPC Apex, and I had actually been invited myself, but I feel that someone who is in maybe your position, quite a bit more experience, has a bit more insights to bring to an event like Apex. So I was really interested to hear a bit more about what your company does, and then also maybe a quick summary of what was going to be in the IPC Apex paper.

Didrik Bech:
Yes. Thank you. No, we are actually the world's oldest what I like to call broker PCB. And we were recently acquired by the NCAB group, as you said earlier, or stated the name. And we are securing PCBs for different partners in the PCB supply chain. And that's also what I've been given the honor to have a presentation about, is specifically PCBs in the supply chain. Specifically in regard to compliance, and compliance can be differentiated into several aspects, but I've specifically focused here on export compliance in relation to PCB, and with the historical background of actually what has happened, why did it happen, and what do I think will happen forward? We all know the, how can I put it, instabilities or challenges we have now in several places around the world, maybe specifically elements like let's say Taiwan and Ukraine and so on. So I think compliance is a hotter theme than ever before, at least in the last 20 years. So this-

Zach Peterson:
Yeah. Oh, sorry, go ahead. Go ahead.

Didrik Bech:
No, no. Sorry, please continue. I just keep on talking. It's like putting a dime on the machine. Never stops.

Zach Peterson:
Well, I think when most designers hear the word compliance, it's probably things like local environmental regulations. And if they've ever gone through EMC testing, it's going to be radiate emissions compliance. So if you're in the US, you have to deal with the FCC. If you're in Europe, it's CSPER, whatever those laws might be. I think that's where everybody's head goes. And you're talking about a different level of compliance. I mean, to what extent does this have to apply to maybe the regular designer versus someone who's dealing with the government, or dealing with medical equipment? There are different levels of compliance.

Didrik Bech:
Yes. There is. Specifically, let's, for example, talk about export compliance. It affects absolutely everybody. For example, let's say you're sitting at home, you're developing something, and these days you've also been allowed to, for example, work from a home office, which is also actually directly affecting export compliance regulations. They've actually had to do some changes or some updates, or some extra allowances, because of the COVID period. And then you're sitting at home designing, let's say a PCB for, it might be a communication device, which is going to be used on a tank, or at a military base, or for a federal government. It might be CIA, it might be FBI, it might be Homeland Security. It might be Norwegian authorities. I mean, all kinds of different agencies. Then automatically when you're doing this, every country has a different view on it.

Didrik Bech:
But if it's, let's say it's in the United States, then quite quickly, it's what I like to say CUI, controlled unclassified information, unless it can also be classified, and other elements. But you should always consider, if it goes into defense, or used by the government, is it CUI? And if it is, how am I allowed to process that data? How can I share it, and where can I store it? And not least, who can I store it with? And then you are affected by a multitude of different regulations. And it's very important that actually the designers, or I would like to say actually the ones who are deciding to launch a project, launch a project where you either further develop an existing product, or a new product, has to keep in mind, how will we be affected?

Didrik Bech:
And there's all kinds of different regulations. It's actually quite the same in Europe and United States, also because we're NATO countries. But then, for example, you have the military list, one, you have the military or the dual use, or the military list, the two dual use lists, and also a whole variety of different sanctions. So it means that when you develop something, you need to make sure you don't share it with the wrong person, company, that it ends up in, for example, an embargoed country, that will be very potentially bad news.

Zach Peterson:
Yeah. I know that with the government contracting supply chain or hierarchy here, at least in the US, there's a requirement by the US government to have primes actually subcontract out a certain percentage of that work that could include CUI, or even classified information. And so you have to wonder how far down the chain do you have control over, and how much supervision is there as you get farther and farther down the chain of a subcontractor's subcontractor's subcontractor? Where does that all fall apart and then create compliance problems?

Didrik Bech:
Very fair and very accurate and good question. First of all, the team wants to have good control of what they're doing. And I think a general rule could be the further down you get, the less information you receive. And-

Zach Peterson:
But is that because they're dealing with the highest value contract, so they have the most attention?

Didrik Bech:
Yes. I mean-

Zach Peterson:
They're most likely to get audited.

Didrik Bech:
Yes. Take a PCB, for example, in a, let's say in a defense project, the value might be 0.001% of the value, or even less. It's nothing. So you start, I mean, it's a natural... You start with the highest cost elements. I think once you think differently, once you think, "What are we addressing which has a drawing?" Because automatically practically, if you have a drawing, like a drawing for PCB, it's CUI. And there's also new regulations coming out in America, which I think will affect Europe greatly in the future, which specifically handles everything which has a drawing, because if it's drawing, which means it been developed in that country, it might be drawing in Norway. It might be drawing in Sweden, Germany, America, but automatically when you draw something and you create something of what your intellectual property rights, and it's linked to specifically sign for defense, you should be wary.

Didrik Bech:
What might the potential export compliance regulations in this case? Or what can we be affected by? So it should have some training. And I know that each country handles this in different ways, but there's actually, most countries actually handle it in the same way, but there's a lack of understanding. I would like to say that since, let's say, the 1993, when the, if I might say the Cold War was over and then things eased down, even all the same regulations have been there the entire time. And now it's getting more and more focus on this aspect, which we see, without going into direct consequences. It's very simple just to search online and you'll find a lot of, how can I put it, different cases of what has happened.

Zach Peterson:
Yeah. I'm going to assume that some of that greater focus on compliance has come from two possible aspects. One is intellectual property theft by actors in East Asian countries, and I think we all know which East Asian country I'm talking about. But then also cybersecurity concerns, because obviously if you have weak cybersecurity, there's the potential for those designs to be exposed. Even, possibly, if you didn't send them to somebody who is outside your country, and would be subject to regular export control requirements.

Didrik Bech:
Yes. I think you're touching a pretty important subject, and that is, how many companies have a strategy in regard to cybersecurity and compliance. Imagine how many who are sending out... Let's say we have a product, I'm calling the project X, you're sending it out to 10 different EMSs to get it quoted. I'm not saying anybody's doing anything wrong, but you're sending it out over the web, which means if you know something about sending files, it means it's for example, it's one file becomes three files, and the first file which reaches tells the other two to delete. So do you have an encrypted network? What kind of intellectual property are you sending out? Which means, who is actually accessing it? Where is it stored, and how afterwards is it deleted? Which means you might have been developing a product for, I don't know, one year, five years, 10 years, 20 years.

Didrik Bech:
And you're putting it online. I mean, I just get scared by the thought. Maybe it's only me, but I think there's room for improvement in regard to specific IT strategies, specifically for cybersecurity and sharing data. And the general rule is, don't share it if you don't need to share it, and don't have access to it if you're not using it in your everyday work. I was at the cybersecurity training in Washington a couple years ago. And I remember one of the, it was a lawyer, asked, "How many people here have access to the bank accounts?" And it was X amount of people who had it. And he said, "How many people actually need access to it?" And none of them needed. And then he asked, "Why do you have access?" Sometimes it's like, in a company, the higher up you get, you should have more and more accesses.

Didrik Bech:
I think that is completely wrong. I think you should access to what you need to have access to. And then you're allowed to ask your colleagues for documentation or papers, whatever, for the other things you might need for a specific case. So starting locking down each company, and being much more aware of who has access, and where it is stored. I think that's a great place to start. Also, if I remember in 2000 and was it '17, '19, I think? But somewhere between 50 and 60% of, for example, American companies, had multifactor authentication, which means if you don't have that, people can practically at any time... I mean, this costs nothing. It's a standard feature in Google and most other systems... log onto your company and actually just steal your data. So sitting down on the officer level in each and every company, irrespective of how big it is, it can be one employee or 100, or 1,000 for that sake, putting down some very quick instructions what to do and not to do is great.

Didrik Bech:
And there's also so much new software now, without saying names of softwares. But a lot of specifically American softwares, I can put it [inaudible 00:11:53] on the stock exchange in America, which have made the cybersecurity set up and structure and control much easier than it was only three, five, 10 years ago, which means we're talking about standardized systems off the shelf. Buying it, implementing it. In the past, you needed your own IT man or woman to set it up and secure it. Now practically every mom and dad shop can do it also, it's just a matter of focus, and also at a very affordable price.

Zach Peterson:
Yeah. I mean, in a way, that's encouraging. The fact that it can be in some way standardized, and I guess, easy to access, and easy to make yourself compliant. But I wonder how many companies actually do this? Even if they don't know, maybe they don't know they're actually dealing with export controlled data, because nobody tells them. And so whoever they're dealing with expects them to know. I mean, when my company receives a design, we are told this is export controlled data. And we receive it through a channel that we know is meant to pass export controlled data to us.

Zach Peterson:
So it's very clear and open, and we have to prove compliance in that way. And obviously we can't just go emailing around stuff if we have to send files around, but like, I'm a mom and pop shop who may not have a huge budget. Number one, are they even implementing it? And two, if they're not, do they even know about it? Because it seems like the IT strategy at some point starts to diverge from the compliance strategy. And so how do you get those two to come back together and get implemented together? Because clearly they go together.

Didrik Bech:
Yes, that's a very good question, also a quite challenging question. Let's say you have a... I'm just giving some numbers... let's say $10 million per year in revenue, and the defense or export compliant, there might be also other things. It could be a medical project, other things which requires a whole different level, or telecommunication, which is actually quite close to defense. You have, let's say, 10% of your business, and then who knows? The margins might be high, the margin might be low. And the question is, how much are you willing to invest?

Didrik Bech:
So I think it actually boils down to a strategic choice. Thinking, do I want to stay in this business and grow, or not? But I could say on a general level, which I'm also presenting at IPC, is that this market is quite huge. And I think it's only going to grow, actually quite dramatically, over the years to come. So those who decide to have a concrete strategy and actually implement measurements to be compliant will not, in a short run, but maybe in, let's say, two to five years going forward, they will reap some very nice potential benefits of this, I would call or say, relatively small investment, at this time.

Zach Peterson:
Yeah. I think that makes sense. I think companies should be looking out in that two to five year timeframe for these types of investments, for just as you said, it's not like it's a huge investment. But number two, as the market grows, it's going to need more of these types of measures to ensure compliance and security.

Didrik Bech:
And we've seen, without going into details, some governments, also United States government, which are looking into more and more of everything they're buying, which is specifically for surveillance, telecommunications, and so on, which has a lot of PCBs. Where is it produced? Who has access to it? Should we bring it back to American soil? Can we buy it from our partners in Europe? It's a lot of things going on. We are part of a lot of discussions where we hear what things people are thinking, and what I can say, people need to start to prepare. If you wait two, three years, you might suddenly be out of that business, and that potential growth also. So making some contacts and you don't need to fancy expensive lawyers, you can gain a lot from just studying and reading on the net, and choosing some very good standardized system.

Didrik Bech:
It can be with Azure cloud. It can be CrowdStrike with Sentinel, all kinds of systems which will help you significantly very quick. And depends what kind of data you're handling, but if you're not handling the most secure data, you can have some very good standardized solutions, to what I would say an affordable price, but it takes... I would say it's more like a strategic focus, and not least talking to your colleagues and being more careful. I mean, if you receive something, looks fishy, don't open it. It's very simple. 80% of breaches are people, and we're all people, which open or look into stuff they shouldn't look into.

Didrik Bech:
Just awareness, talking about it. If you get something suspicious, don't respond back to the email, "Hey, is this you?" The phone is an unused medium. I like to say that to write an excellent email it can take me anywhere from 30 minutes to two or three hours. But if I call the person, I'll handle it in three minutes, and afterwards I can just write the short summary, we agreed to the following. So I'm a little bit old school. Call me.

Zach Peterson:
Yeah. I can't tell you the number of emails I get every day with some strange file attached. "Hey, here's your invoice, check it out." Or, "Here's this crazy image that someone wants to send you," or, "Here's an HTML file." And I mean, it's kind of obvious at this point what people are trying to do. And I mean, my company's a small company. I'm not Boeing or anything, but you have to wonder how many of those phishing emails do larger companies get? And it almost seems like it's statistically guaranteed at some point for somebody to try and open something that they shouldn't be opening, and then there's a data breach.

Didrik Bech:
I think also that's why they're doing it, because if nobody had opened it, then they would've stopped sending it.

Zach Peterson:
That's a great point.

Didrik Bech:
So instead of spending huge money on systems, and sandbox systems and filter systems, why not spend a couple of dollars on that good coffee and talking to your colleagues and saying, "If it looks fishy, it probably smells bad. Don't jump into the water, call somebody." We're talking low tech, which is just using our brains. It's also-

Zach Peterson:
Yeah. That's absolutely. I mean, that's so funny because you're right. If it didn't work, people wouldn't continue to do it. It's like the Nigerian prince scam.

Didrik Bech:
Yes. I'm going to send [crosstalk 00:18:17]-

Zach Peterson:
You thought it would've gone away, right?

Didrik Bech:
Yeah. But that's... I mean, and of course in a work day when people are stressed and have a lot to do, you might get that email just before a meeting and you don't think. So, it's just, again, repetitive training. And like we do at our company, we have our own IT sending us different kinds of emails, and doing standardized off the shelf systems you can buy where you do training. They send you emails to test you, and see how you're responding. So it's just awareness at a low cost. I know everybody screams when it's something new, "Oh, this the cost," but I would rather say, "What is the cost of you losing control of your products? What is the cost of somebody in X country making a simple rip off copy of your products and selling it?" That cost is tremendous. So I say spending some money as precaution is worth every single dime.

Zach Peterson:
Well, I mean, when you say the cost is tremendous, I mean, can you make that more tangible? Because when people think IP theft, I think because it's hard to make it tangible, it seems like it's this far off, isolated thing that maybe a few large companies have to worry about. But I think if you look under the surface and you think about how often data breaches happen, it's probably a lot more common than people realize.

Didrik Bech:
Without going into the specific details, I can give some general examples. And I know from one of our partners, they said that every time they launch a new product, they're quite big, it takes 18 months, on average, before that product is copied and on the market. 18 months. And they can spend, I mean, hundreds of millions of dollars to develop it for that sake. So they had a strategy, for example, that when it comes to software, they developed a software in one specific country. And if they produced in other countries, then the software is only... They don't send the software, put it that way. It's uploaded directly into their devices when it's sent back to their country. So that means that they might copy the physical attributes of the product, but they will not be able to access the software in the same respect. And of course they put all kinds of measurements in so they can know.

Didrik Bech:
So it's also a challenge to access the software afterwards. So I think having... The bigger you get, having specific strategies might be very smart. And choosing some partners which you trust is always a good rule. People like to jump around for prices, which I think is a quite big challenge these days, as all the prices are going the wrong way, which means up. Practically all, at least. I mean, I don't understand how this inflation is calculated if you ask me, but that's a different story, I guess, a different debate actually. But you should think about, it's not... Find some good people you can work with which you trust, have some good routines, and trust in your products and you will most likely be successful.

Zach Peterson:
Yeah. Well, you and I can save the inflation debate for another episode of the podcast if you want. But yeah, so I mean this seems like... It's interesting, because you say it only takes 18 months to make a full copy. I mean, I think this relates a bit to something that we had talked about in a previous podcast with Joe Grand, who's well known as a hardware hacker. And we'll actually link to that in the show notes. But he had talked a lot about security through obfuscation, essentially just all you can really do is try and make it harder for someone to copy the product.

Zach Peterson:
And that's what it seems like this partner that you're referencing is doing, they're essentially forcing you... They're putting up as many barriers as they can to prevent intellectual property theft. I mean, is that all people can do? I mean, aside from knowing who you're giving something to, but I mean, at some point down the chain, it's going to get exposed to somebody who probably shouldn't see it. And so what else can companies do to help guarantee compliance, and prevent this kind of copying? And I mean, how far does that copying go? I mean, are the products identical? Is it just they take the... They have this product that's copied, they just slap a new label on it, and then act like it's authentic?

Didrik Bech:
Yeah. I do know a lot of stories I'm not at liberty to convey, but yes, it is a challenge. You can of course have patents and so on. Not everything can be patented. So I think the best security is working with people who has the same degree of security as you have. And it's quite seldom, I mean, it's actually super rare that I am confronted with people like, "Hey, I would like you to present your cybersecurity strategy. I would like you to present your export compliance strategy. I would like to know how your database structure is." These questions should be general questions.

Didrik Bech:
How is your customer screening? How is your partner screening? I mean, these questions are lacking. So I'm hoping that all those who do audits and so on start asking more questions, and more interesting questions, and without being disrespectful sometime, "Where is your fire extinguisher?" It's quite seldom houses are burning these days. Of course that's not good if anything burns, but there are other questions which should be added to the audits, which are conducted in all kinds of countries, and in all kinds of industries. Start with cybersecurity. What are you doing? I think people will be, how can I put it, surprised.

Zach Peterson:
So if a smaller design firm is looking to get into a market that requires a high level of compliance. You brought up some software solutions that can help ensure compliance, but aside from implementing those types of solutions, it sounds like you're expecting some of those audit requests to get a bit deeper, and that these smaller firms should really prepare to be answering those questions for larger clients, especially if they are working in something like defense and aerospace. Would you say that's correct?

Didrik Bech:
That is correct.

Zach Peterson:
Okay. Okay. So that could involve anything from developing formalized packages that they can send out when they get an audit request that really proves this type of compliance. I mean, how deep does that have to go? You brought up, what's your database structure...

Didrik Bech:
Yes. In America, of course you have the FAR and the DFARS, Defense Federal Acquisition Regulation Supplement. You also have the ITAR, which is when you're exporting it. Every single country and in Germany, so you have the BAFA which regulates in England, so you can have open general license, and you have a state department in Norway, and in Sweden, and all countries have different regulations. But they're built, I would say, in the same way. But by far, the American government has come the furthest, and not least with some of the plans I've seen for the future. For example, you have the NIST 800 171 B, which is applicable automatically under the DFARS, which has 100 and what, 10 controls, if I remember correctly? Regarding what you're supposed to do. So there are a lot of requirements out there.

Didrik Bech:
So you need to sit down and read a little bit, and there are specific requirements regarding defense compliance. And I think the best thing would be actually, if some of the countries, specifically the NATO countries, agreed to some standard set of requirements. That would've been great for all the rest of us. And also, since a lot of these regulations were made in the, let's say, '50s, '60s, '70s, '80s, we didn't have internet at that time, put it that way. So not everything is made for the future. So I know that there's some ground breaking work being done there in many countries, on both sides of Atlantic, which I think in the near future will help, and make it easier for all the actors to understand what to do. Because there are, how can I put it? There are some conflicting views upon storage and how you do stuff.

Didrik Bech:
So I'm looking forward. And since you're very small, also like us, we are just trying to do what we are being told to do and understand the regulations. Sometimes it can be a challenge, but again, you can do a lot with simple tools, with standardized tools off the shelf, to protect your company and protect the data. So I think it's important to show that you are, how can I put it? You're not sitting and waiting for somebody to knock on the door. You have to be proactive. It might not be perfect, but at least you have a strategy, and working on it. And that's often very... [inaudible 00:27:07] people how you shouldn't, very understanding.

Zach Peterson:
Sure, sure. And I mean, it seems like a lot of these efforts around compliance and cybersecurity, they're just getting pawned off onto a third party that you now have to trust. So whether it's just your antivirus program, or whether it is something more advanced at some of those other companies that you mentioned earlier, it seems like there's going to be some level of compliance that you're going to have to trust that they can help you satisfy.

Didrik Bech:
Yeah.

Zach Peterson:
And then there's going to be your internal practices and processes that you then have to implement yourself.

Didrik Bech:
Yes.

Zach Peterson:
And I mean, how do you... Is it going to be as simple as, if you get asked to prove compliance in order to win a large contract, let's say, you just say, "Hey, I have CrowdStrike," and that satisfies 18 points on the checklist?

Didrik Bech:
No, it's specific. As I say, under the NIST, it's quite specific requirements. This is different from country to country. I'm talking more on a general level. Now the American regulations are quite specific, but of course, if you have a tier one, we should not inform you about the mandatory flow down clauses in DFARS, and you don't know. That's a challenge, which means everybody needs to inform. We need to have openness in the PCB supply chain regarding the compliance regulations which affects you. And since a lot of defense projects, let's say, for example, the F35. That's developed in United States, but it's also lot of cross development in countries like Denmark, Norway, for example, the T-X, which is the fighter trainer for the F35 is from Sweden, from Saab, and so a lot of actors are working together, which means multiple of compliance sets are applicable, and which might be a little bit different. But again, as long as you have a strategy and work on it, and implementing measurements specifically for European countries, I think then you're already on a good path.

Zach Peterson:
Yeah. And I don't have clients in Europe, but I do have clients in Canada that work in the defense industry. And between the US and Canada, there's actually a joint certification program where you can get approval to get this technical data from both sides, because you have to go through this vetting process. Is there actually something similar between the US and Europe?

Didrik Bech:
Not between the US and Europe. I know there's some special projects, for example, between England and the United States. But it's mainly if it's developed United States and sent to Europe, it's ITAR. If we develop it here and it's purchased by the United States government, then it's the DFARS. Quite simple. I mean that's... And of course, that's the easiest way to put it, but there's, at the same time, every country has different regulations regarding embargo countries, and also people and companies. And also where you're allowed to produce, for example, that can differentiate. So it might be, for example, that the one country accepts another country for production or sales, or end use, but another does not. So depending on where we have produced the PCB, the consequence might be suddenly that you cannot sell that rocket, because the PCB was made in a country which doesn't accept the sales to that country.

Didrik Bech:
So again, you need to have a strategy. And then I have learned once that, for example, if it's a PCB for a plane, just to do a test to change the PCB would cost, let's say about $1.2 million for test flights. So if you save the $5 in that PCB, that was very expensive. So you again have a strategy from the beginning and make sure that the designers, when they're sitting there, that they know... They should know where we are planning to sell this product, because that will automatically affect where they can produce. And also for example, I would say that the laminate is the lowest level on the PCB. Make sure you know which country that laminate is coming from, because that might be also an embargoed country, or somebody you do not have a defense alliance with, or a place you don't want the laminate to come from, to different kinds of reasons.

Zach Peterson:
Yeah. You brought up something interesting, which is, suppose I export to one country to a subcontractor, and I don't check where they're going to then produce, and they go to another country to do some work or to produce, and that third country is now embargoed by my country. I had not initially considered that, but I think that makes total sense. You have to have that strategy in place when you're dealing with subcontractors.

Didrik Bech:
Yes. So that's why you put it simple. You need to know origin for every single article you have in your products.

Zach Peterson:
Yeah.

Didrik Bech:
That does not mean where you're buying it, that doesn't matter. Where is it produced?

Zach Peterson:
Yes.

Didrik Bech:
And that should be in very simple, and good old fashioned excel still works great.

Zach Peterson:
The wonders of Excel. Yes, absolutely.

Didrik Bech:
Yes.

Zach Peterson:
Well this is really interesting and I mean, I'm so happy that you've come on to talk about this, because I think that this is one of those areas where a lot of designers, like you had mentioned at the beginning, think they're going to have to hire a lawyer. And it's just something that you put off, and put off, and put off, or maybe you just try and Google all the answers. And I think it creates some compliance hazards for certain designers. And I'm wondering how many companies think they're compliant because of this, but they really aren't compliant, and how much of a risk is that?

Didrik Bech:
That's a very... It's difficult for me to answer, but I've been to some, for example, defense last time at Arlington Cemetery, was listening to Kate [Deering 00:33:00]. And I think there's, she didn't say anything specifically about this, but I think there's room for improvement. And that's also why we're implementing new regulations, like for example, the CMMC, which is coming out. The Cybersecurity Maturity Model Certificate, very long name, even for Norwegian to pronounce. I think we're doing stuff to help the industry, and also our industry is an active actor. But yeah, it's a challenge for many, and I'm not sure-

Zach Peterson:
It sounds like what you're saying is that if you were to pick a given defense contractor at random, there is a high probability that they could do more, without naming anybody specifically.

Didrik Bech:
Yes, no, I think that's also what the CMMC is about. It's about not... You will never be good enough. You will have to have a continuous focus on improvement, like when you have an ISO. You will never reach the goal. Once you reach the goal, you'll just move the goal forward. But it's a continuous process where we cannot afford to stop. So once you think that you're great at cybersecurity, okay, what can we do better? Of course not take it to a unnecessary high level, according to the information you have, but it's a never ending process, and I'm not the judge, and I'm not qualified to judge how others are handling it. But I do believe there's room for improvement.

Didrik Bech:
And I think a good place to start is communicating more with each other, specifically in the supply chain, and making sure that if you have received demands from your tier, tier one, for example, or the product owner or the purchasing entity, make sure that the information is passed along and remember that you have a sole responsibility. So if you don't have any process or vetting or anything, then it might be a little bit challenging for you afterwards. So make sure that, okay, ask some questions, document it. What is this for? Is this for defense? Is this for medical? Is this for telecommunication? Ask some questions, start gathering data, and show that you are continuously working with it, and trying to improve. Letting it lie on the side and think everything is going to be fine, I do not think that's the best or wisest strategy to choose.

Zach Peterson:
Yeah. I like what you said about that gathering some data ahead of time, and at least knowing broadly what the end application is going to be. I've been involved in projects where they don't really tell you exactly what it's going to be. You get the technical data and you have a board that you're working, but you don't necessarily know what it's going to be used in until you've worked with the company for a few years. And over the course of those few years, you get little tidbits of information from emails, and you learn a little bit about what the company does. And then you connect the dots and realize, "Oh, that's what I'm working on. I should have probably been a little more careful with who I'm sharing this data with," or something like this.

Didrik Bech:
Yes. But sometimes people have a misconception about sharing data, to think, "If I don't say what it's about, then that's good." Actually, that's a risk, because you need to share that to your partner so they actually know, so they can say, "Oh, I understand, we didn't have the capability to receive this data and keep it secure. So you have to go to somebody else." Or they could say that, "Hey, that's very interesting. I looked up, I need to buy a new system to handle this kind of data. Could you please give me a week, and I'll fix it." So again, sharing is caring, but keeping it secret is actually putting everybody at risk. Imagine having an audit, and they're like, "And so what did you inform company X about?"

Didrik Bech:
Nobody, didn't inform them. What? You didn't inform them? How can they know? But it's also the responsibility of the company receiving information, having some documentation that you've asked at least some questions. I mean, if you go to their web page and you only see pictures of rockets and like, "Oh, I didn't know they worked in defense," you might have a small challenge there too. So it's not like they didn't tell me. Or I would like to say, plausible deniability does not count. You need to do something, and you need to show that you are improving or working with it. I'm not the judge [crosstalk 00:37:21], but I think I strongly advise people to have a strategy and work on it.

Zach Peterson:
Yeah. It seems like just saying, "This is export controlled," is almost the bare minimum in information that you're giving, right?

Didrik Bech:
Yes.

Zach Peterson:
I mean, if you're a firm that generally works on that type of project, I think you're a little more prepared to deal with that when it comes up. But if they don't tell you that and they don't tell you what it's going to go in, then I would agree with you. I think that the top level contractor is actually creating a new risk just by not telling someone to not share something.

Didrik Bech:
Yes.

Zach Peterson:
Essentially assuming, it should be obvious, they should know not to share this.

Didrik Bech:
Yes. And it's also been a tremendous price pressure for many, many years, and back to the inflation discussion almost. And you're not always saving money. You have to look at the total cost, not necessarily the price. So being aware of the potential consequences of this, and it's, as I say again, it's just go online and search and you'll see some tremendous fines. I know one company not long ago got a fine for $30 million for not handing the information properly. That will affect, not all companies, but a lot of the companies I know. And there's, remember that most companies are usually quite small. So $30 million, that's expensive, at least in [crosstalk 00:38:49].

Zach Peterson:
Especially when you start to consider how much of the contracting budgets, at least in the US, are statutorily required to be subbed out to small businesses.

Didrik Bech:
Yeah.

Zach Peterson:
That's a lot for those subcontractors.

Didrik Bech:
But I also think that the large subcontractors could be... There's an improvement in respect to having more gatherings where they invite all the small subcontractors, it could be by Zoom these days, and saying, "We would like to give you a course on compliance. When you receive information from us, these are systems recommend. You should consider. They're quite inexpensive and good, and reached, for example, FedRAMP approved server system," and so on. "We advise you to look into these things." Again, sharing more, not keeping it a secret. Keeping a secret is keeping a danger. Talking to your partner is securing your supply chain. Very simple.

Zach Peterson:
Those are really excellent points, especially putting some of that responsibility back on the prime contractor, to really help secure their subcontractors, and prevent fines from traveling up the chain, all the way potentially to them. So I think you're really hitting an important point of reliability. I'm wondering when some of those costs for data breaches, IP security, are really going to be priced in to what defense contractors do, because it is a risk, and those risks have to be priced into what they do. But this seems like a really simple way for them to reduce that risk, and be more competitive, especially when more regulation comes down that is going to place more requirements on not just the subs, but also the primes.

Didrik Bech:
Yeah. That's why it's one of the beauties of the DFARS regulation, for example, it's mandatory flow downs. So it's not a... I don't know how many discussions I've been to where people say, "Oh, it's a mandatory flow down this week, but we'll discuss and try to get this away," And I suppose that one training United States regarding this, this is non-negotiable. I mean, if you want to make a bid on the contract, these are the clause, so either take it or leave it. Don't spend time waste on trying to get away from it. This is what they want, and you have to deliver, or you cannot quote. So read the papers, and they're quite well written. Again there, I think the United States have come very far when it comes to giving out the proper information regarding what they expect. It's not perfect, and it sometimes can be a challenge, put it that way, but compared to other countries, I think we can learn a lot from you.

Zach Peterson:
Well, it sounds like I'm going to have to review what's in my DFARS report, because I've just had a lawyer prepare it, and I never read it, to be honest. They give me the questionnaire, I fill it out, they prepare it, and we call it a day.

Didrik Bech:
Yeah. Oh, you should know it. And there's also some great courses. You have federal publication seminars, FPS in the United States. They have seminars all the time. You can... I mean, all kinds of seminars you can go to. I'm just mentioning that because I happened to be there once. So there are possibilities to learn, if you want to. And train everybody. Send one person, let that person come back and train everybody. Implement simple routines, talk together, spend that time on that coffee. And then most likely it will be, perhaps not perfect, but on the way towards perfection.

Zach Peterson:
Absolutely. Well Didrik, thank you so much for joining us. This has been an extremely enlightening conversation, not just for me, but I hope also for all the listeners out there. And I hope anyone who's going to be at IPC Apex will take some time to listen to Didrik's presentation, and will all also take some time to join Altium Live in the EMEA region, from February two to February four. Both events are going to be very enlightening for designers, and we hope to see you all there. Didrik, thank you so much again for joining us. Hope to have you back later.

Didrik Bech:
Thank you, Zach. It was a pleasure being here, and look forward to seeing you again.

Zach Peterson:
Thank you so much. And to all the listeners out there, don't stop learning, stay on track, and go sign up for Altium Live if you haven't already. We're going to be in the Americas as well as in the EMEA region later in January, and EMEA region in February two to February four. Thanks everybody.