Over the last decade, software supply chain attacks have become increasingly more sophisticated—and more damaging.
Despite this, today’s technology vendors and buyers are completely unprepared to cope with software supply chain attacks. Even global giants Microsoft and VMware were unable to prevent infiltration of their infrastructure in last year’s attack, which targeted multiple branches of the U.S. federal government.
But how did we get to this point… and why are organizations across all industries seemingly powerless to protect themselves against software supply chain attacks?
Why Attack the Software Supply Chain?
The first thing to understand is the role of software in supply chain attacks.
Most of the high-profile attacks seen in recent years have initially targeted one or more software vendors that sell to the ultimate target. For instance, while the primary targets in last year’s attacks were federal agencies, the actors responsible initially focused on compromising software vendors that supplied those agencies. This is because it is extremely difficult for buyers to assess the security of commercially available software.
Even high-end buyers like federal agencies are unprepared to tell whether a supplier can withstand cyber attacks. Thoroughly vetting a product before procurement takes months, and an agency or organization can easily use dozens or even hundreds of technology products. A lack of time, resources, and standardized vetting processes means that, in practice, even organizations with highly sensitive functions and responsibilities are unprepared to assess their software supply chain risk.
“When you buy a piece of software, it’s compiled. We can’t look at the source code to search for vulnerabilities, and even if we could, we don’t have the resources to do that for every product we use. Federal agencies do their best with outdated approved software lists and intra-agency communication to avoid duplication of effort, but it’s a slow and cumbersome process, and there are no guarantees.”
— Gerald Caron, Chief Information Officer (CIO), Assistant Inspector General for Information Technology (AIG/IT), Department of Health and Human Services (HHS), Office of the Inspector General (OIG)
Why Aren’t Software Suppliers Prepared?
So, why is the standard of software supply chain risk management so low in the technology industry? Principally, it comes down to a series of technical, legal, and economic challenges:
Technical Cybersecurity Challenges
Outdated security strategies. The traditional, perimeter-centric approach to cybersecurity is outdated and not sufficient to protect against today’s software supply chain attacks. With distributed network architecture and an increasingly remote workforce, relying exclusively on barrier technologies like firewalls and Intrusion Detection/Prevention Solutions (IDS/IPS) is no longer reasonable.
Over-reliance on Artificial Intelligence (AI). AI and machine learning (ML) are effective for identifying attacks that have been seen before. However, new software, exploits, and attack behaviors are invisible to technologies that rely on AI/ML. Attacks against high-profile U.S. organizations and their supply chains will likely include new elements, rendering AI/ML solutions ineffective.
Assuming organizations can prevent breaches. This is no longer true. No matter how mature an organization’s security is, it will sometimes be breached. It must be able to detect, remove, and recover from these breaches quickly and efficiently with minimal exposure of sensitive assets or data.
Treating software supply chain attacks as purely a development problem. Many software supply chain attacks insert malicious code during the development process. However, the solution is not purely to secure development environments. Modern software supply chain attacks are multi-stage operations that require an initial entry point, movement through the network, privilege escalation, and often injection of further malicious software. Preventing these attacks requires a ground-up cybersecurity approach that enables vendors to detect, address, and recover from intrusions before a bad actor can enact its mission.
Legal and Economic Challenges
Lack of legal consequences for vendors. An organization or federal agency can be investigated and fined for losing restricted information. However, there is usually no legal consequence for a technology vendor for failing to secure its infrastructure properly. It’s down to buyers to select vendors they believe will take adequate security measures—however, as noted above, it’s not realistic to expect buyers to complete the necessary due diligence for every technology vendor in their supply chain.
There is no legal standard for SCRM. Currently, technology vendors have no legal obligation to meet certain security standards to protect customers from software supply chain attacks. Most vendors do have regulatory compliance requirements that influence cybersecurity investments and decisions. However, these are not sufficient to protect critical U.S. targets from the danger of supply chain attacks.
These legal issues create a further economic barrier. Even if a vendor wanted to take the initiative to improve SCRM, they are economically blocked. The cost of substantially improving SCRM capabilities will be significant, and—unless all vendors are legally obliged—would place a vendor at a competitive disadvantage in the marketplace. Even if a vendor was willing to absorb this, there’s a final problem:
There is no agreed standard for SCRM improvements. This makes it hard for vendors to justify the expense of improving SCRM and equally tough for buyers to evaluate vendors’ SCRM maturity. Most vendors will not invest significantly in SCRM until they know what legal obligations lie ahead.
Protecting the U.S. From Software Supply Chain Attacks
Combined, the challenges above create a situation where software vendors are both disincentivized and strategically limited in their ability to identify and protect against software supply chain attacks. Without a series of changes to regulations and security strategies, this will inevitably lead to further high-profile software supply chain attacks against U.S. targets—and, in all probability, they will happen soon.
Our new white paper, ‘Protecting the U.S. From Supply Chain Attacks,’ explains why technology vendors are frequently the weak link that allows criminal and state-sponsored hacking groups to access sensitive data and systems, conduct espionage, and disrupt operations. To protect against the dangers of software supply chain attacks, technology vendors must have a legal obligation to uphold a minimum standard of SCRM.
Download the report to learn:
- Why President Biden’s Executive Order and new publications from NIST and CISA aren’t enough to protect the U.S. from supply chain attacks.
- What consequences a supply chain attack could have for federal agencies, state governments, and even private organizations.
- The risk posed by unregulated technology vendors and why it’s unrealistic to expect buyers to shoulder the burden of vetting every supplier’s SCRM capabilities.
- Our proposed approach to address supply chain risk in the U.S. and how regulators could structure a legal framework for SCRM.
March 29, 2022