In recent articles, we’ve written extensively about software supply chain attacks, including:
- What they are and why they pose such a huge threat
- Why the U.S. is still vulnerable to them despite several regulatory changes
- Why current initiatives (including EO 14028) are unlikely to solve the problem
All of this leads to an obvious question: what should the U.S. do about supply chain attacks?
It’s Time to Regulate Technology Vendors
To adequately protect the U.S. economy, citizens, and critical infrastructure from software supply chain attacks, regulators should consider a legal mandate that requires technology vendors to implement:
- A higher standard of cybersecurity in the development environment and across the business.
- A robust risk assessment of their own supply chains to protect against similar threats.
These requirements should go beyond those laid out in EO 14028 and NIST SP 800-161. The following section outlines proposed requirements to ensure technology vendors that play a crucial role in U.S. federal and critical infrastructure supply chains are resilient against modern supply chain attacks.
Proposed Requirements for Technology Vendors
Requirement #1: Follow an Agreed Framework for SCRM
One of the challenges facing technology buyers is the lack of an agreed framework for implementing SCRM. Technology vendors can implement their version of an SCRM practice, but it’s difficult for buyers to determine its validity or effectiveness without a best practice to compare it to.
The specific requirements of such a framework are beyond the scope of this document and should be agreed upon by a combined effort of public and private entities as with other industry best practices. The framework should align with accepted industry standards such as NIST Cybersecurity Framework (CSF).
An example of such a framework is the Zero Trust Continuous Configuration Enforcement (ZT-CCE) model developed by ComplianceForge, Cimcor, Defcert, and BDO, which sets out a phased model to prioritize SCRM activities.
Requirement #2: Focus on Baseline Integrity
Most cybersecurity programs place too much emphasis on complex tools while neglecting the basics. Coupled with an outdated focus on perimeter defense, this leaves organizations continually reacting to incoming threats and never establishing control over their environments. Guidance issued by organizations like NIST and Gartner consistently highlights the importance of fundamental cybersecurity capabilities like configuration management, change management, and vulnerability management.
The diagram below has been issued repeatedly by Gartner and has been largely unchanged for the last decade.
The basic controls mentioned above are the foundation for effective cybersecurity and should be solidified before progressing to more complex controls. Having a solid basis in these disciplines makes an organization far more resilient to cyber attacks, as it is much more difficult for a bad actor to establish and grow a foothold inside a network that is securely configured and free from vulnerabilities.
Requirement #3: Establish Closed-Loop Change Control
Everything that happens in a network begins with a change. The ability to distinguish between good and bad changes determines an organization's ability to detect, prevent, and respond to attacks.
Closed-loop change control works from an established, trusted baseline of what is allowed within a network and then aims to prevent, limit, or reverse everything else. Whenever an unknown, unexpected change occurs, the organization manages it by exception, either adding it to the list of acceptable changes or preventing it altogether. The Integrity Assurance Loop demonstrates how this works:
With the right combination of technology and a trusted, authoritative baseline, this loop need only occur for unknown changes. I.e., changes that aren’t yet known to be good or bad. Further, most of the loop can be automated, so human intervention is only required for a small percentage of changes.
This closed-loop process is fundamental to cybersecurity and IT operations. It is codified into best practice frameworks like NIST CSF and the IT Infrastructure Library (ITIL). Despite this, very few organizations have mature change control processes, leaving them highly vulnerable to cyber-attacks.
Protecting the U.S. From Supply Chain Attacks
Combined, the three requirements above would force technology vendors to implement and maintain a cybersecurity program founded on the fundamentals of effective security. However, there is one more key ingredient in such a program: a focus on resilience.
The next article will explain precisely what resiliency-focused security operations look like and why they are a crucial component of any cybersecurity program. By embedding resilience as a legal requirement for technology vendors, the U.S. could drastically reduce the risk and impact of software supply chain attacks.
If you can’t wait for the next post, you can download our new white paper, ‘Protecting the U.S. From Supply Chain Attacks,’ instead. It explains why technology vendors are frequently the weak link that allows criminal and state-sponsored hacking groups to access sensitive data and systems, conduct espionage, and disrupt operations. To protect against the dangers of supply chain attacks, technology vendors must have a legal obligation to uphold a minimum standard of SCRM.
Download the report to learn:
- Why President Biden’s Executive Order and new publications from NIST and CISA aren’t enough to protect the U.S. from supply chain attacks.
- What consequences a supply chain attack could have for federal agencies, state governments, and even private organizations.
- The risk posed by unregulated technology vendors and why it’s unrealistic to expect buyers to shoulder the burden of vetting every supplier’s SCRM capabilities.
- Our proposed approach to address supply chain risk in the U.S. and how regulators could structure a legal framework for SCRM.
April 5, 2022