Examining the Software Supply Chain Vulnerability Landscape

June 9th, 2021 Hannah Tichansky Reading Time: 5 minutes
Black framed eyeglasses in front of laptop computer - FI

In May of 2021, the Biden Administration released an executive order designed to strengthen the federal government’s cybersecurity, focusing specifically on software supply chains of government contractors. This release came as a response to the Colonial Pipelines ransomware attack of last month, although it has been in development since the SolarWinds cybersecurity breach in 2020.

These attacks shed light on the vulnerabilities of software supply chains and third parties, and these incidents will only increase if left unchecked. And the order does not just affect government contractors; as these attacks can affect any organization, third-party risk management (TPRM) programs must analyze the cybersecurity of their supply chains.

The Rise of Software Supply Chain Incidents

In one of the biggest cybersecurity breaches in recent memory, major US information technology firm, SolarWinds, experienced a cyberattack by foreign hackers throughout 2020. With organizations like the Department of Homeland Security, the US Treasury Department, and multiple Fortune 500 companies as clients, this breach compromised the data privacy of over 18,000 businesses. But how could this have happened?

Earlier in 2020, hackers entered the SolarWinds system, inserting a backdoor that was released to SolarWinds’s clients when regular software updates were sent out. This placed personal and professional data at risk, as well as potentially confidential government information, shining light on significant gaps in federal cybersecurity practices.

It was not long before another major cybersecurity incident occurred, this time in May of 2021 as Colonial Pipelines informed the public that it had experienced a major ransomware attack and had halted all systems. As a major supplier of 45% of the East Coast’s gasoline, this halt in operations led to panic, gas price increases, and an acknowledgment of the vulnerability of aging infrastructure.

Whether it is data being held hostage in ransomware attacks, or major confidential data at risk to hackers, these types of incidents are increasing as malicious parties focus on supply chain vulnerabilities. The first half of his year has seen an increase of 102% in ransomware incidents compared to the same time last year. The average cost of each attack is over $300,000 and in total, ransomware cost companies $20 billion in 2020 – 75% higher than 2019.

And it’s not just ransomware. Malware attacks overall also increased in 2020- by a whopping 358%, with the pandemic playing a large role in the rise of cybersecurity incidents. These attacks are costly. Global cybercrime damage costs $16.4 billion a day, and $6 trillion a year. It is estimated that by 2025 cybercrime will cost over $10 trillion each year.

Since the recent Colonial Pipelines breach, even more cyberattacks continue to put critical US infrastructure at risk. More recent incidents such as the ransomware attack at the JBS meatpacking plant, and the Martha’s Vineyard ferry service shed a harsh light on these risks. In an interview on June 6th, US Energy Secretary Jennifer Granholm stated that “very malign actors” continue to target the United States, and these attacks will only continue.

Between these alarming trends, the difficulty of tracing cybercrime perpetrators, and the vulnerability of critical systems, the need for increased cybersecurity collaboration and partnerships between leading companies and government agencies is critical to protecting cyber supply chains.

New Executive Order for Improving the Nation’s Cybersecurity

In a response to the rise in cyberattacks, last month President Biden released an Executive Order emphasizing cybersecurity as a top priority to economic and national security. According to the order, “The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to [increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy].”

Goals of the order include:

  • Removal of barriers to threat information sharing between the private sector and the government: Information and communications technology (ICT) service providers must promptly report any cyber incidents involving software that is provided to, or used by agencies.
  • Implementation and modernization of stronger cybersecurity standards within the government: This includes contracting zero-trust architecture and secure cloud services.
  • Improvements to software supply chain security: This will allow greater visibility into how software is being developed to make data secure and provide transparency so that people can tell if the software was developed securely.
  • Formation of a cybersecurity safety review: This will be co-chaired by government and private sector personnel to analyze cybersecurity incidents and what can be learned from them.
  • Implementation of a playbook for responding to cyber incidents: This will emphasize proactive measures so all government agencies can meet an acceptable risk threshold and take steps to identify and mitigate risks. Private sector companies will have access to this as a template for their response efforts.
  • Improving the Federal Government Network detection of cybersecurity incidents: This will enable government-wide identification and response systems with information sharing.
  • Improvements to remediation and investigative capabilities: This will create cybersecurity event logs for departments and agencies to help with consistent reporting.

While the action items in this executive order directly affect third parties who contract with government agencies, these issues and recommendations are not isolated only to government contractors. IT cloud vendors to any organization need to prioritize software cybersecurity and supply chain security in order to avoid major incidents.

New Ransomware Task Force

In another recent effort to mitigate the devastating effects of these attacks, the Institute for Security and Technology (IST) created a new ransomware task force comprised of 60 industry, government, and law enforcement efforts to break down siloed approaches to cybersecurity and provide unified efforts for protection.

In a report delivered to President Biden, numerous recommendations were made for strengthening cybersecurity efforts against ransomware attacks through forming national and international coordination to deter ransomware, disrupting ransomware to reduce their profits, preparing for ransomware incidents proactively, and responding to incidents with more effectiveness. Also included in the recommendations is setting up cyber response and recovery funds, closer collaboration between government agencies (further emphasizing this need for information sharing), and closer regulation of the cryptocurrency industry.

What Software Supply Chain Vulnerabilities Mean for TPRM

Despite the involvement of third parties in 63% of data breaches, 55% of enterprise-level companies do not include third-party applications in their application security program. And as seen in recent cyberattacks such as at SolarWinds, vulnerabilities in vendor software can pose devastating damage to organizations and their clients.

Similarly, while Biden’s cybersecurity order directly affects government agencies and companies engaged with them, software providers overall, and any company who uses these products need to be vigilant when developing and purchasing these products.

Regulators are paying more attention to the activities of third parties as well, and companies who engage with them can be held responsible for their actions. In anticipation of this increased focus, the National Institute of Standards and Technology (NIST) has published “Key Practices in Cyber Supply Chain Risk Management which provides recommendations to help organizations ensure resilience by building robust cyber supply chain risk management (C-SCRM).

Ramping Up Your Software Supply Chain Security

While each third party and step in your supply chain may be necessary to operations and growth, they each pose unique vulnerabilities and risks. To strengthen your software supply chain resiliency your company must implement processes, programs, and procedures that identify and assess emerging threats quickly, respond effectively and efficiently, and take decisive action. This includes ensuring that software is developed securely and that any future updates are also secure and do not contain any malicious programs that can be passed on to clients.

Automation tools should be used so that all programs, third parties, and potential risks are managed effectively, and that application management hygiene is consistently in place. In addition, keeping up-to-date systems and programs makes it harder for hackers to target your systems for attacks. This applies to software developers, as well as for the companies that utilize systems through engagements with software vendors.

Furthermore, implementation of multi-factor authentication, and zero-trust architecture (where the system has “zero trust” that you are the approved user and requires additional challenges to log into networks) are being used to create more checkpoints against hackers. Embracing these practices is critical to strengthening your software and supply chain security, though it does require collaboration with IT teams to manage these controls.

Whether you are a software developer or a company or agency that uses these programs, make sure to collaborate with IT security teams to prioritize review of any third-party applications. As seen in recent statistics, over half of enterprise companies do not prioritize these programs and place themselves at serious risk of a cyberattack.

To learn more about how to strengthen your software supply chains against ransomware and other cyber-attacks, contact Aravo’s team of experts.

Hannah Tichansky

Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.

Hannah holds over 12 years of writing and marketing experience, with 6 years of specialization in the risk management, supply chain, and ESG industries. Hannah holds an MA from Monmouth University and a Certificate in Product Marketing from Cornell University.

Hannah Tichansky is the Senior Content Marketing Manager at Aravo Solutions, the market’s smartest third-party risk and resilience solutions, powered by intelligent automation. At Aravo, she manages all content and thought leadership produced for products and campaigns, and contributes as an author for articles and blog posts.

Share with Your Friends:

Subscribe to Blog Updates

Our Expertise
Who We Help

Ready to get started?

Get in touch for a better approach to third-party risk management