No one wants a repeat of the SUNBURST cyberattack, but without any action to improve cybersecurity within the software supply chain, another SUNBURST—or worse—attack is inevitable.
And we still may see a devastating attack that takes down critical infrastructure or cripples major business systems, but at least there are steps being made to finally address the security flaws in software, at least within federal agencies. The Biden Administration introduced an executive order with guidelines aimed at strengthening the software supply chain using security in design principles.
The executive order begins, according to a White House release, with a directive that government agencies “use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered.”
“The administration’s May 2021 Executive Order to strengthen cybersecurity highlighted that securing the software supply chain is a national priority,” Eilon Elhadad, senior director, supply chain security at Aqua Security, said in an email interview.
“The EO dictates that third-party companies who sell to the government or to a company who sells to the government must comply with national requirements to protect the nation from malicious cyber actors,” Elhadad added. “Since software supply chain attacks increased by over 300% in 2021 , the EO came at a critical time.”
Why Government Intervention is Crucial for Cybersecurity
Federal guidance is crucial for supply chain security because it provides a standardized framework and best practices that organizations can follow to improve their security posture, explained Idan Wiener, CEO and co-founder at illustria.io, in an email conversation. This guidance ensures that organizations across all industries and business verticals are held to the same standards, making it easier to track compliance and identify areas for improvement.
“In my opinion, the establishment of federal guidelines can enhance the security of the software supply chain as it provides a well-defined set of expectations and requirements for organizations to adhere to,” said Wiener. “This is akin to my experience as a Navy captain, where guidelines and procedures helped create a cohesive unit that spoke the same language and reduced emerging risks.”
Additionally, by instituting federal guidelines, organizations are better equipped to create a culture of security and encourage them to prioritize security in their software development processes.
To ensure a secure value stream through open source, the key is to adopt an inline approach that removes the responsibility of security from developers, allowing them to concentrate on writing code, Wiener pointed out. “By employing this approach, malicious actors can be stopped before they enter the company’s development process, reducing the need for costly fixes.”
Beyond the Executive Order
The executive orders are part of a new federal focus on improving cybersecurity in the software supply chain. Last year, the National Institute of Standards and Technology (NIST) developed a new framework called for in the 2021 EO that provided recommendations for mitigating the risk of software vulnerabilities. Part of the strategy also includes the plan to shift software security liability to federal software vendors and the strategy also mentions building on SBOMs.
“This liability shift is an opportunity for companies to demonstrate that their product is secure,” said Elhadad. “By developing and providing a software bill of materials (SBOM), companies can show a full and transparent security history of all of the software components.”
And last fall, the White House released another document with guidelines and deadlines for securing the software supply chain through security-by-design practices. Compliance attestation letters for critical software are due on June 11, 2023, and letters covering all software are due on September 14, 2023.
Clearly, the Biden administration has made cybersecurity and software supply chain security a priority.
“Supply chain security is a high priority because open source and commercial components can have a lot of vulnerabilities in them,” Carol Lee, director of the NSA’s Center for Assured Software,” told FedTech . But will it be enough to make a difference in securing the supply chain?
“The traditional way to look at it is that a market that becomes more compliant forces itself to become better (e.g. endpoints, firewall),” said Elhadad. “As soon as we have standardization and guidelines, companies have something to rely on and security vendors are encouraged to innovate more.”
Image: Official White House Photo by Tia Dufour