The United States Presidential Executive Orders of February 2021 and May 2021 shined a light on the growing sophistication and intensity of cyber threats and the necessity for supply chain integrity. What started as an initial stroke at protecting critical U.S. federal systems from cyberattacks has turned into a steady drumbeat of activity that has only intensified and spread beyond the borders of the United States and into the private sector.
What's Happening in the United States?
Turning the Presidential Executive Orders of 2021 into action has been the focus throughout much of 2022.
Federal Agencies – 2024 Deadline
In January 2022, the Office of Management and Budget (OMB) issued the Memorandum: "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles," which set an end-of-2024 fiscal year deadline for agencies to meet specific cybersecurity standards and objectives in accordance with the Presidential Executive Orders of 2021. The OMB specifically advised agencies to align with the Cybersecurity and Infrastructure Security Agency (CISA)'s five-point Zero Trust model.
Additionally, agencies already complete a Security Assessment Report (SAR) as part of the authorization process for information systems. The OMB wants to lean further into this application security testing by evolving the SARs to include "not just information gathered by automated tools for vulnerability scanning and code analysis of custom-developed software, but also analysis prepared by more time-intensive, specialized, and application-specific methods." To help accomplish this, OMB advised agencies to follow the NIST July 2021 "Guidelines on Minimum Standards for Developer Verification of Software.“
As a follow-up to the July minimum standards publication, in February 2022, the National Institute of Standards and Technology (NIST) followed up with "Software Supply Chain Security Guidance Under Executive Order 14028." The document provided guidance and best practices for securing the software supply chain. Specifically, it introduced the concepts of "attestation" (a statement that requirements have been met) and "artifact" (a piece of evidence).
“When a federal agency (purchaser) acquires software or a product containing software, the agency should receive attestation from the software producer that the software's development complies with government-specified secure software development practices. The federal agency might also request artifacts from the software producer that support its attestation of conformity with the secure software development practices.”
While this covers the point of purchase, it then goes a step further into the source of the problem. Given the "dynamic nature of software development," NIST highlights the need for ongoing attestation" performed as part of the processes and procedures throughout the software lifecycle."
In May 2022, NIST provided additional, comprehensive guidance in "Software Security in Supply Chains" related to the "acquisition, use, and maintenance of third-party software." The guidance also offered recommended concepts and capabilities spanning Software Bill of Materials (SBOM), vendor risk assessments, open source software controls, as well as practices for vulnerability management.
Some of the sustaining capabilities
Binary Software Composition Analysis (SCA) to identify vulnerable components, specifically those that include open source
Set up and maintain one or more repositories and/or libraries of open source software for developer use.
Then, in September 2022, the OMB issued another memorandum "Enhancing the Security of the Software Supply Chain through Secure Software Development Practices." Guided by the President's Executive Order on Improving the Nation's Cybersecurity, this memo provides further direction on how to comply with the Order's demand that federal systems and vendors utilize software that meets common cybersecurity standards.
The OMB memo directs agencies to "use only software that complies with secure software development standards, creates a self-attestation form for software producers and agencies, and will allow the federal government to quickly identify security gaps when new vulnerabilities are discovered." In other words, software vendors now need to vouch for the security of their product, and self-certify that their software has been developed in accordance with best security practices outlined in two documents published by the NIST: "Secure Software Development Framework" (SSDF), published in February 2021, and the February 2022 "Software Supply Chain Security Guidance," highlighted at the beginning of this section.
Guidance for Developers
In September 2022, The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) released "Securing the Software Supply Chain: Recommended Practices Guide for Developers."
It specifically highlighted the changing nature of threats and the outsized and pervasive impact of malicious code:
"A traditional software supply chain cycle is from point of origin to point of consumption and generally enables a customer to return a malfunctioning product and confine any impact. In contrast, if a software package is injected with malicious code which proliferates to multiple consumers; the scale may be more difficult to confine and may cause an exponentially greater impact. Common methods of compromise used against software supply chains include exploitation of software design flaws, incorporation of vulnerable third-party components into a software product, infiltration of the supplier's network with malicious code prior to the final software product being delivered, and injection of malicious software that is then deployed by the customer."
There are a number of practical mitigation measures to mitigate the risk of intentional or unintentional malicious code injection.
A well-balanced authenticated source control check-in process, including protection of the source code repository. Recommended protections include a lot of all developers and the components they download.
Automatic static and dynamic vulnerability scanning on all components of the system. They also recommend that “separate and higher quality scanning tools should also be used within the product build environment.”
Employing both informal and formal code reviews.
The mapping of development efforts to specific system requirements. This helps avoid “feature creep” that could inject vulnerabilities...
Hardening the development environment, using the similar approaches one would use to the protection of production systems.
Continuous training for developers in secure development practices.
Conducting nightly builds with security regression tests.
Advancements in Software Bill of Materials (SBOM)
In 2018, the National Telecommunication and Information Administration (NTIA) began collaborating with other groups to promote software component transparency. This later became 2021's Elements for a Software Bill of Materials, as well as an online resource center for all things SBOM. (Notably, the NSA/CISA/ODNI September report specifically calls out SBOMs in its list of Release Criteria and specifically advises following NTIA guidance.)
The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) have continued to evolve and refine the concept of an SBOM , specifically taking into account the broader ecosystem, cloud-native use cases, and interoperability. In addition to hosting a number of listening sessions, its four workgroups meet weekly.
In June 2022, the Supply Chain Security Training Act of 2021 became law. This directs the Federal Acquisition Institute to develop a training program that "mitigate[s] supply chain security risks that arise throughout the acquisition lifecycle, including for the acquisition of information and communications technology. The Supreme Court Security Funding Act of 2022, passed in August 2022, specifically calls out software supply chain security practices. Other bills, such as the DHS Software Supply Chain Risk Management Act of 2021, continue to move through the legislative process and focus on the supply chain as the key element in strengthening cybersecurity.
The Supply Chain Security Training act directs the Federal Acquisition Institute to develop a training program that:
"mitigate[s] supply chain security risks that arise throughout the acquisition lifecycle, including for the acquisition of information and communications technology."
In September 2022, the Securing Open Source Act of 2022 was introduced in the Senate, underscoring the strategic importance of open source to the federal community, indicating that CIOs "should enable, rather than inhibit, the secure usage of open source software at each covered agency." Further, the Act imposes deadlines related to publishing a framework for assessing risk for software components and performing an assessment of open source software components "used directly or indirectly by Federal agencies." The Act also directs engagement with private companies, nonprofit organizations, and individuals within the open source software community.
In March 2022, the Securities and Exchange Commission (SEC) issued a proposed rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. This could require public companies to make public disclosures to investors about cybersecurity incidents within days of the discovery. SEC specifically called out that "cybersecurity incidents involving third-party service provider vulnerabilities are becoming more frequent" as being one of the key drivers behind this rule proposal.
In April 2022, the Food and Drug Administration (FDA) sought comment on medical device cybersecurity in "Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions." Specifically, it recommended that "Cybersecurity Bill of Materials" be replaced with "Software Bill of Materials" on pre-market submissions. More than 100,000 comments were submitted by the July 2022 due date.
Idaho National Laboratory, associated with the U.S. Department of Energy, continues the work it initiated in 2021 on an Energy sector SBOM Proof of Concept.
What's Happening in Canada?
In June 2022, the Canadian government completed a first reading of Bill C-26, titled "An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts." While the bill specifically pertains to telecommunication service providers, it would require them to "manage any organizational cyber security risks, including risks associated with the designated operator's supply chain and its use of third-party products and services."
Despite this initial legislative focus on a specific vertical, data shows that software supply chain integrity is a concern across the broader Canadian business community. In its "2022 Canadian Digital Trust Insights" survey, PwC reported that 54% of Canadian respondents expect a reportable increase in 2022 from attacks on the software supply chain but that only 44% say they thoroughly understand their third-party cyber and privacy risks.
What's Happening in the United Kingdom?
In 2021, Her Majesty's Government issued the call for views on supply chain security, kicking off the nation's cyber resilience initiative. In parallel, a "Cyber Resilience Captains of Industry" survey was issued to over 100 UK business leaders to get their perceptions on cyber security and supply chain risk.
In February 2022, the UK government unveiled its National Cyber Security Strategy 2022, specifically citing supply chain vulnerabilities as an area of concern. The strategy specifically tasks the Department for Digital, Culture, Media, and Sport (DCMS) with the implementation of Network and Information Systems (NIS) regulations in coordination with the National Cyber Security Centre (NCSC). As the NIS Regulations were last updated in 2020, further revision is likely.
In July 2022, the UK government issued a Proposal for Legislation to "Improve the UK's Cyber Resilience." The proposal specifically highlighted the outsized impact even small security risks in the supply chain can have on the wider economy:
"Recent high-profile cyber attacks, such as the December 2020 SolarWinds supply chain compromise, the May 2021 ransomware attack on the US Colonial Pipeline, and the July 2021 attack on the managed service provider Kaseya demonstrate how malicious actors are able to compromise a country's national security and disrupt activities in the wider economy and society... Cyber security risks are passed through supply chains. This can result in seemingly small players in a supply chain introducing disproportionately high levels of cyber security risk... The attacks set out in the previous paragraph are a stark reminder that cyber security threat actors are capable of exploiting vulnerabilities in supply chains."
In parallel, also in July 2022, DCMS issued its "Cyber Security Breaches 2022" survey, which asked UK businesses about cyber attack impact, response, and readiness for future challenges.
In this survey:
estimate a cyber attack happens at least once a week.
say they have experienced a negative income as a direct response to a cyber attack.
have action on at five of the National Cyber Security Center's 10 Steps to Cyber Security.
This is not specific to businesses in specific verticals. According to this survey, fewer than one in two firms in any sector are reviewing the potential security risks in their wider supply chain.
What these survey results suggest is that, while the risks are pressing and clearly identified, businesses are not yet taking action to remediate them.
What's Happening in Germany?
In 2021, Germany issued the Information Security Act 2.0 (IT-SiG) and the Second Ordinance Amending the BSI Criticality Ordinance (BSI KritisV), the latter of which went into effect in January 2022.
IT-SiG specifically states that suppliers, i.e. manufacturers of critical components, will also be subject to certain obligations to safeguard the entire supply chain. An element of this is a requirement to proactively report vulnerabilities to customers and to eliminate said vulnerabilities.
Organizations identified to be of critical importance to the government and community are subject to these regulations and associated penalties, which can go as high as several million Euros. These critical groups include a broad cross-section of government services and industries.
What's Happening in Japan?
Japan passed "Act on Promotion of Economic Security by Integrated Implementation of Economic Measures," landmark national security legislation, in May 2022. The act has four main pillars, with the first two focused on supply chain stability and security for critical infrastructure, the latter said to be modeled on the U.S. and German approaches. The law is expected to take effect on or before February 2023.
In August 2022, the Open Source Security Summit came to Japan. Hosted by the Linux Foundation and Open Source Software Security Foundation (OpenSSF) and under the auspices of the Ministry of Economy, Trade, and Industry, the event served as a follow-up to May 2022's Open Source Software Security Summit II, Following the Executive Orders of 2021, these industry groups, in association with the White House's National Security Council and prominent technology companies, have collaborated on a 10-Point Open Source and Software Supply Chain Security Mobilization Plan, which advocates for "SBOM Everywhere" along with "better supply chain security tools and best practices."
"While reliance on software technology, including OSS [Open Source Software], is increasing, software management methods, vulnerability handling and license support are becoming increasingly important, such as the announcement of the Log4j vulnerability. As I will introduce today, the Ministry of Economy, Trade and Industry is also making various efforts to ensure the security of software including OSS, by developing a collection of practices for OSS management methods and conducting a demonstration of the use of SBOM. Through this meeting, we hope to deepen our knowledge of software security including OSS, and to promote more active efforts in Japan to resolve issues such as management methods and vulnerability countermeasures."
What's Happening in the European Union?
After issuing its landmark 2021 report titled "Understanding the increase in Supply Chain Security Attacks," which reviewed 24 different software supply chain attacks, European Agency for Cyber Security (ENISA) shared its "Cybersecurity Threat Landscape Methodology" report in July 2022, making an example of supply chain threats.
Further, the European Union has joined with the United States government to launch the U.S.-European Union Trade and Technology Council. While their May 2022 statement would suggest their initial focus is on supply chain resiliency around critical components, such as semiconductors, the broader plan points to cross-continent collaboration around the broader software supply chain with an eye toward protecting national security.
In May 2022, European Parliament and European Union Member States reached an agreement on New Rules on Cybersecurity of Network and Information Systems, which advocates for a high common level of cybersecurity across the European Union. This is known as the NIS 2 Directive, which:
"...strengthens cybersecurity requirements imposed on the companies, addresses the security of supply chains and supplier relationships, and introduces accountability of top management for non-compliance with the cybersecurity obligations."
What's Happening in the Indo-Pacific Region?
In May 2022, the Prime Ministers of Australia, India, Japan, and the President of the United States (a group known as the Quad) announced a collective approach to addressing cybersecurity issues:
"To deliver on the Quad Leaders' vision for a free and open Indo-Pacific, we commit to improving the defense of our nation's critical infrastructure by sharing threat information, identifying and evaluating potential risks in supply chains for digitally enabled products and services, and aligning baseline software security standards for government procurement, leveraging our collective purchasing power to improve the broader software development ecosystem so that all users can benefit."
The group has also collaborated on a "Common Statement of Principles on Critical Technology Supply Chains," which aligns around four key principles: Security, Transparency, Autonomy, and Integrity. The Quad's activities will continue to be coordinated under the banner of the Quad Cybersecurity Partnership.
What's Happening Globally?
The NATO Cooperative Cyber Defence Centre of Excellence released a January 2022 report titled: "Recent Cyber Events: Considerations for Military and National Security Decision Makers." The report highlighted various types of supply chain compromises, including the exploitation of software development tools. It specifically underscored the role businesses, and by extension, their developers, play in protecting the supply chain:
"To secure the supply chain, developers must first take responsibility and carry out security activities related to the four software development and delivery environment on their own. These activities include thorough security tests for the software being developed, segregation of the development network from the internet, secure configuration management, secure handling of code signing certificates, and hardening software distribution platforms."
The early 2020s demonstrated just how interdependent we are on one another and how supply chains are a byproduct of that. A bad actor and a bit of malicious code can cause a cascade of wreckage across the digital ecosystem, impacting governments, businesses, and consumers. While early legislation has primarily focused on cybersecurity related to government and national systems, this reach has already started to extend to the commercial sector. Harkening back to the seat belt example: global governments want to ensure a basic level of safety. This is beginning with frameworks and best practices, specifically focusing on SBOMs and developer responsibility when it comes to security. We should expect compliance requirements, and timelines to become increasingly more prescriptive and concrete both within and beyond the government sector.