Did you utter the words “Hey, Siri” or “Okay, Google” today? Did you ask Alexa about today’s weather or news headlines? Connected devices are everywhere, regardless of how comfortable you feel chatting with them.
Just below the surface are the technical components that make these and every other everyday tech tool possible: open source software.
If you’d like a peek behind the curtain you’ll discover a fascinating, and currently turbulent, world. Technologists, lawmakers, entrepreneurs, and everyday people are debating how the future will unfold. The decisions being made today about technology will have lasting effects on everyday life.
Chief among the debates, and concerns, involve protecting citizens from malicious intent fed into the software supply chain, and potentially more devastating, cyber warfare. (Whoa! That got dark real quick!)
Emerging technology can deliver far more good than harm… if we are thoughtful about its evolution today.
It’s a conversation we’re thinking about constantly here at Sonatype.
International Conference on Cyber Engagement
If your first thought about cyber warfare is: “😱!!!”
...you’ll be relieved to know that governments are already on it. That’s the good news. The bad news: it is increasingly difficult to stay several steps ahead of adversaries determined to disrupt the software supply chain.
The software supply chain connects everyone and everything. Attacks to this connected web can be blatant and overt, with damaging consequences. One thing I hadn’t fully considered? How low-level, persistent attacks on credibility and usability can undermine authority and shake the foundations of democracy. Both are serious threats.
As part of the ongoing conversation, Sonatype participated in the eighth annual International Conference on Cyber Engagement (ICCE) conference sponsored by the Atlantic Council in Washington, D.C.
Working with the Atlantic Council, which focuses on promoting policy choices and strategies to create a more secure and prosperous world, our Senior Storyteller Mark Miller, built out a specific session talking about the trials and tribulations of Securing the Software Supply Chain. It included an incredible group of industry experts:
- Edna Conway, Chief Security Officer, Global Value Chain, CISCO
- Joyce Corell, Assistant Director, Supply Chain and Cyber Directorate, National Counterintelligence and Security Center, US Office of the Director of National Intelligence
- Bob Kolasky, Director, National Risk Management Center, Cybersecurity and Infrastructure Security Agency, US Department of Homeland Security
- Dr. Suzanne Schwartz, Associate Director for Science and Strategic Partnerships, Center for Devices & Radiological Health, US Food & Drug Administration
While the whole conversation is worth a listen (link below), there were a few key points I walked away thinking about.
Q: What’s the weakest link in the software supply chain?”
A. People!
Change management is a critical vector because individuals responsible for security processes often have embedded knowledge and situational awareness. Successors may or may not have sufficient understanding of software interdependencies. This creates an internal weakness that can be exploited by malicious intent.
Q: “What’s the difference between government and private sector software supply chains?”
A: Trick question! Both use open source components in their software
The private sector can be more operationally nimble when containing and correcting software supply chain threats. Government software supply chains are significantly larger and more complex. Attacks to government SSC represent significant risk to the population at large.
Q: “How do we find trusted software suppliers?”
A: People! (Yes, again.)
Trust is fundamental to all supply chain processes. Software supply chains are not regulated as other industries (industrial, transportation, medical), and this poses additional risk to companies, organizations, and individuals. A combination of industry-led initiatives and government legislation will be necessary to support safety.
Besides the above, I think the most powerful moment of the conversation came from Edna who said
There has never been a more important time for public-private partnership and cross industry information sharing . Forget saving the planet, we're going to blow ourselves up with a cyberwar if we don't get this right. The time is now, there is no time to wait.
I'm not particularly worried about the ozone layer being depleted, that won't kill me, the cyberwar will first. We have to embark on a journey of information sharing, sharing with our allies, understanding our adversaries and making meaningful inroads across the huge third party ecosystem. That will be meaningful improvement.
In the meantime practical steps must be documented: how can a manufacturer demonstrate trusted components? What evidence ensures safety? How can government agencies or private sector competitors collaborate on behalf of security, nationally and internationally?
Supply Chain Security and Software
While on the surface the idea of cyber warfare may seem extreme, take a moment to wrap your mind around the number of current vulnerabilities in our collective software supply chains. The answer is millions.
Software development is increasingly driven by open source component assembly instead of scripting from scratch. Up to 90% of typical software’s footprint is made up of open source components. The advantage is incredibly efficient software development. The disadvantage is a proliferation of vulnerabilities.
The Center for Strategic and International Studies (CSIS) hosted a panel discussion, Supply Chain Security Software, also held in Washington, D.C. and focused on what the US government and its partners are doing to address the growing security concerns, both via legislation and tactics.
Our own Derek Weeks, sat on the panel with:
- Allan Friedman, Director of Cybersecurity Initiatives, National Telecommunications Information Administration
- Bob Metzger, Co-Author MITRE "Deliver Uncompromised"; Head of DC Office, Rogers Joseph O’Donnell, P.C.
- Tommy Ross, Senior Director, Privacy, BSA | The Software Alliance
- Roberta Stempfley, Director, CERT Division, Carnegie Mellon University Software Engineering Institute
Key to understanding the depth of the problem is being able to quantify it. To that end, Derek shared both the empirical data we collected in our annual State of the Software Supply Chain Report and DevSecOps Community Survey. Both demonstrate that software is constantly under attack.
Some examples include:
Increasing exposure: Of 5,500 professional developers surveyed, 1 in 4 experienced a security breach attributed to open source vulnerabilities in the last 12 months. This is an increase of 71% since the 2014 Heartbleed breach.
Increasing scale: Looking only at Java developers reveals the growing scale of vulnerabilities in production. . The world’s 9 million Java developers consumed 146 billion components last year. And, the average enterprise is consuming 300,000 individual Java components from thousands of suppliers. In the realm of JavaScript developers, they are consuming 9 billion JavaScript components EVERY WEEK. Of these, 12% of all Java components downloaded had a known vulnerability and an astonishingly 51% of Javascript packages have a known vulnerability.
Derek went on to detail the rise in malicious code injections (14 detailed in the last 18 months - something we’ve been monitoring closely over the past two years). For example, in November 2018 a socially engineered, malicious commit code was downloaded ½ million times a week even after its compromise was discovered. This situation is not dissimilar to the well-known Tylenol tampering that forced packaging changes for consumer safety. Malicious commit code is like tampering with Tylenol at the factory. By inserting poison directly into tablet production, damage can be wrought at scale.
So, what is the future of cyber security?
Commercial industries and government entities must all take action to address widespread software supply chain vulnerabilities. While regulations and compliance are coming, when you look at what’s at stake from national security to consumer health the time to act has to be now, regulation or not.
