If one were to delve beneath the surface and analyze the number one factor driving some of the most significant data breaches, legislation, and other technological trends in the federal space from the past year, one consistent thread would rise to the surface: the software supply chain.
Despite new legislation from the Biden Administration designed to protect the software supply chain, several government bodies fell victim to prominent supply chain attacks in 2023. Most notably, attackers exploited a vulnerability in the MOVEit Transfer software, which allowed them to infiltrate the software supply chain of thousands of companies without being detected. The Cybersecurity and Infrastructure Security Agency confirmed that several government agencies, banks, financial services companies, and universities were among the victims of the MOVEit Transfer software vulnerability that impacted over 60 million people worldwide.
With the evolution of AI, machine learning, and large language models increasing at warp speed, developers are producing more software than ever before, and cyber adversaries continue to be on the lookout for their next victim. It is critical that federal agencies have the tools and processes in place to secure the software supply chain.
Here’s where they should start:
Tip #1: Prioritize Software Bill of Materials (SBOMs)
In 2024, the software landscape is poised for significant changes, with a growing emphasis on SBOMs - an essential tool for today’s federal agencies. An SBOM provides increased transparency by disclosing software’s components, whether built or bought, much like an ingredient list on food labels. Using an SBOM, federal organizations are able to precisely assess software components’ risks and quickly address vulnerabilities — or simply pick a better software. President Biden’s Executive Order (E.O.) 14028 highlights the importance of SBOMs as a crucial way to drastically improve software supply chain security in response to growing cyber threats.
As concerns about supply chain attacks continue to escalate, compliance measures like E.O. 14028 will inevitably tighten, due to the increasing frequency and visibility of such large-scale cyber incidents. The proactive adoption of SBOMs is not only in response to heightened awareness, but will be the key differentiator in software maintenance and security. We suspect in this upcoming year that an increased emphasis will be placed on preventing and disclosing supply chain threats, similar to the SEC’s updated breach disclosure laws, and similar compliance initiatives to be taken around the world.
Tip #2: Emphasize real-time visibility
The goal of preventing software supply chain attacks in the public sector will come from identifying software supply chain threats in real time before they unfold. That in itself is a challenge as the majority of these incidents’ are near impossible to detect especially when so many software producers and consumers still cannot answer the question, “what’s in your software?”
The reason for the lack of knowledge? Chances are pretty high that federal organizations are relying on open-source software components — in fact, open source currently makes up approximately 70% to 90% of software today. Despite its popularity, it doesn’t come without risk. Lineaje research from last year revealed that an overwhelming majority (82%) of open-source software components are susceptible to vulnerabilities, maintainability concerns, quality issues, or similar security problems. Some open-source components (a little over 5%) fail basic integrity checks — which might have prevented the compromises that led to the 3CX attack.
Real-time visibility into the quality of software components is going to be the difference between a well-maintained and secure software supply chain, and the next big software supply chain attack. It’s critical that we address the danger landscape quicker than before in order to effectively secure the digital future.
Tip #3: Identify the lineage of AI
In the past year, organizations have increasingly focused on preventing cyberattacks targeting AI systems. This heightened attention is driven by the rising use and popularity of AI, enabling threat actors to exploit vulnerabilities in the software, particularly with open source models lacking sufficient guardrails. However, a crucial aspect is being overlooked. Many federal security teams are concentrating on defending against threats once AI is operational, fearing that threat actors might manipulate AI to influence engineering, IT, or security actions, potentially leading to compromises.
A frequently overlooked scenario in AI security is that security should start from the very beginning of building AI systems. This means taking a proactive approach to identifying and addressing vulnerabilities that could be exploited by attackers. One way to do this is by adopting a “shift left” or “left of shift left” approach, which involves integrating security practices early in the development process. This approach allows developers to identify and address potential vulnerabilities before they become threats, reducing the risk of exploitation.
Therefore, federal agencies need to consider the lineage of any AI applications being used, understanding that key vulnerabilities may have been overlooked during the build phase. Being vigilant and attesting AI-based software is critical to fortifying an organization’s defenses against evolving cyber threats, ensuring the integrity of systems, and maintaining a robust security posture.
Software is at the pulse of how federal agencies operate today. It’s critical that organizations stay ahead of software maintenance and security to protect the software supply chain and prevent a compromise of national security. By starting with these three tips, federal organizations can put themselves in a better position to address today’s top threats to the software supply chain.
Nick Mistry is SVP and CISO of Lineaje, a provider of Continuous Software Supply Chain Security Management services to companies and government.