Securing the software supply chain is a “major source” of national security risk for both public and private-sector organizations, a new report from the Atlantic Council argues.
The report, released today, stresses that unlike the physical aspect of devices, software is continually updated. Meaning, the supply chain for software is long and depends entirely on users to trust their vendors and developers.
However, the Atlantic Council says that software supply chain security remains an “underappreciated domain of national security policymaking.” The presence of software has increasingly expanded, from watches having file systems to combat aircrafts requiring software updates. Policymaking hasn’t kept pace with software’s expanded presence in society, the report says. Securing the software supply chain requires a “more coherent policy response” from the government and technology industry.
In its report, the Atlantic Council analyzed 115 supply chain attacks and vulnerability disclosures over the past 10 years and found that “software supply chain attacks are popular, impactful, and … provide huge value for attackers and remain popular.” These attacks can give foreign adversaries – the report specifically mentioned Russia, China, North Korea, and Iran – access to critical infrastructure such as electrical power generation and nuclear enrichment systems.
The report identified five “key trends” with software supply chain attacks:
- Attacks were frequently perpetrated by state actors, including Russia, China, North Korea, and Iran as well as India, Egypt, the United States, and Vietnam.
- Attacks worked to undermine public key cryptography and certificates used to ensure the integrity of code.
- Attackers frequently targeted software updates to install malicious code against a massive number of targets.
- Attackers worked to modify open-source code by gaining account access or posting their own packages with names similar to common open-source files.
- Attackers targeted popular app stores, such as the Google Play Store, Apple’s App Store, as well as other third-party app hubs to spread malware to mobile devices.
The Atlantic Council also offered up three recommendations for both policymakers and industry stakeholders to harden supply chain security:
- Improve the baseline – “Perhaps the most useful thing the policy community can do is offering support for widely compatible standards and tools to reduce the burden of secure software supply chain management on developers.”
- Better protect open source. – “The policy community must support efforts to secure open-source projects, or it will watch a critical and innovative ecosystem wither.”
- Counter systemic threats – “The United States must work with allies to protect against deliberate efforts to undermine software supply chains. Efforts by states to impersonate software vendors undermines defender’s ability to patch flaws in code and improve the security of software through the entirety of its lifecycle.”