Examining the Software Supply Chain Vulnerability Landscape
June 9th, 2021 •
Hannah Tichansky • Reading Time: 5minutes
In May of 2021, the Biden Administration released an executive order designed to strengthen the federal government’s cybersecurity, focusing specifically on software supply chains of government contractors. This release came as a response to the Colonial Pipelines ransomware attack of last month, although it has been in development since the SolarWinds cybersecurity breach in 2020.
These attacks shed light on the vulnerabilities of software supply chains and third parties, and these incidents will only increase if left unchecked. And the order does not just affect government contractors; as these attacks can affect any organization, third-party risk management (TPRM) programs must analyze the cybersecurity of their supply chains.
The Rise of Software Supply Chain Incidents
In one of the biggest cybersecurity breaches in recent memory, major US information technology firm, SolarWinds, experienced a cyberattack by foreign hackers throughout 2020. With organizations like the Department of Homeland Security, the US Treasury Department, and multiple Fortune 500 companies as clients, this breach compromised the data privacy of over 18,000 businesses. But how could this have happened?
Earlier in 2020, hackers entered the SolarWinds system, inserting a backdoor that was released to SolarWinds’s clients when regular software updates were sent out. This placed personal and professional data at risk, as well as potentially confidential government information, shining light on significant gaps in federal cybersecurity practices.
It was not long before another major cybersecurity incident occurred, this time in May of 2021 as Colonial Pipelines informed the public that it had experienced a major ransomware attack and had halted all systems. As a major supplier of 45% of the East Coast’s gasoline, this halt in operations led to panic, gas price increases, and an acknowledgment of the vulnerability of aging infrastructure.
Alarming Software Supply Chain and Ransomware Trends
Whether it is data being held hostage in ransomware attacks, or major confidential data at risk to hackers, these types of incidents are increasing as malicious parties focus on supply chain vulnerabilities. The first half of his year has seen an increase of 102% in ransomware incidents compared to the same time last year. The average cost of each attack is over $300,000 and in total, ransomware cost companies $20 billion in 2020 – 75% higher than 2019.
And it’s not just ransomware. Malware attacks overall also increased in 2020- by a whopping 358%, with the pandemic playing a large role in the rise of cybersecurity incidents. These attacks are costly. Global cybercrime damage costs $16.4 billion a day, and $6 trillion a year. It is estimated that by 2025 cybercrime will cost over $10 trillion each year.
Since the recent Colonial Pipelines breach, even more cyberattacks continue to put critical US infrastructure at risk. More recent incidents such as the ransomware attack at the JBS meatpacking plant, and the Martha’s Vineyard ferry service shed a harsh light on these risks. In an interview on June 6th, US Energy Secretary Jennifer Granholm stated that “very malign actors” continue to target the United States, and these attacks will only continue.
Between these alarming trends, the difficulty of tracing cybercrime perpetrators, and the vulnerability of critical systems, the need for increased cybersecurity collaboration and partnerships between leading companies and government agencies is critical to protecting cyber supply chains.
New Executive Order for Improving the Nation’s Cybersecurity
In a response to the rise in cyberattacks, last month President Biden released an Executive Order emphasizing cybersecurity as a top priority to economic and national security. According to the order, “The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to [increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy].”
Goals of the order include:
Removal of barriers to threat information sharing between the private sector and the government: Information and communications technology (ICT) service providers must promptly report any cyber incidents involving software that is provided to, or used by agencies.
Implementation and modernization of stronger cybersecurity standards within the government: This includes contracting zero-trust architecture and secure cloud services.
Improvements to software supply chain security: This will allow greater visibility into how software is being developed to make data secure and provide transparency so that people can tell if the software was developed securely.
Formation of a cybersecurity safety review: This will be co-chaired by government and private sector personnel to analyze cybersecurity incidents and what can be learned from them.
Implementation of a playbook for responding to cyber incidents: This will emphasize proactive measures so all government agencies can meet an acceptable risk threshold and take steps to identify and mitigate risks. Private sector companies will have access to this as a template for their response efforts.
Improving the Federal Government Network detection of cybersecurity incidents: This will enable government-wide identification and response systems with information sharing.
Improvements to remediation and investigative capabilities: This will create cybersecurity event logs for departments and agencies to help with consistent reporting.
While the action items in this executive order directly affect third parties who contract with government agencies, these issues and recommendations are not isolated only to government contractors. IT cloud vendors to any organization need to prioritize software cybersecurity and supply chain security in order to avoid major incidents.
New Ransomware Task Force
In another recent effort to mitigate the devastating effects of these attacks, the Institute for Security and Technology (IST) created a new ransomware task force comprised of 60 industry, government, and law enforcement efforts to break down siloed approaches to cybersecurity and provide unified efforts for protection.
In a report delivered to President Biden, numerous recommendations were made for strengthening cybersecurity efforts against ransomware attacks through forming national and international coordination to deter ransomware, disrupting ransomware to reduce their profits, preparing for ransomware incidents proactively, and responding to incidents with more effectiveness. Also included in the recommendations is setting up cyber response and recovery funds, closer collaboration between government agencies (further emphasizing this need for information sharing), and closer regulation of the cryptocurrency industry.
What Software Supply Chain Vulnerabilities Mean for TPRM
Despite the involvement of third parties in 63% of data breaches, 55% of enterprise-level companies do not include third-party applications in their application security program. And as seen in recent cyberattacks such as at SolarWinds, vulnerabilities in vendor software can pose devastating damage to organizations and their clients.
Similarly, while Biden’s cybersecurity order directly affects government agencies and companies engaged with them, software providers overall, and any company who uses these products need to be vigilant when developing and purchasing these products.
Regulators are paying more attention to the activities of third parties as well, and companies who engage with them can be held responsible for their actions. In anticipation of this increased focus, the National Institute of Standards and Technology (NIST) has published “Key Practices in Cyber Supply Chain Risk Management which provides recommendations to help organizations ensure resilience by building robust cyber supply chain risk management (C-SCRM).
Ramping Up Your Software Supply Chain Security
While each third party and step in your supply chain may be necessary to operations and growth, they each pose unique vulnerabilities and risks. To strengthen your software supply chain resiliency your company must implement processes, programs, and procedures that identify and assess emerging threats quickly, respond effectively and efficiently, and take decisive action. This includes ensuring that software is developed securely and that any future updates are also secure and do not contain any malicious programs that can be passed on to clients.
Automation tools should be used so that all programs, third parties, and potential risks are managed effectively, and that application management hygiene is consistently in place. In addition, keeping up-to-date systems and programs makes it harder for hackers to target your systems for attacks. This applies to software developers, as well as for the companies that utilize systems through engagements with software vendors.
Furthermore, implementation of multi-factor authentication, and zero-trust architecture (where the system has “zero trust” that you are the approved user and requires additional challenges to log into networks) are being used to create more checkpoints against hackers. Embracing these practices is critical to strengthening your software and supply chain security, though it does require collaboration with IT teams to manage these controls.
Whether you are a software developer or a company or agency that uses these programs, make sure to collaborate with IT security teams to prioritize review of any third-party applications. As seen in recent statistics, over half of enterprise companies do not prioritize these programs and place themselves at serious risk of a cyberattack.
Get in touch for a better approach to third-party risk management
The Definition of Better Business
Better business is built on acting with integrity. It commands better performance, delivering better efficiency, collaboration, and financial outcomes. It inspires trust. But better business is more than that – it’s about lifting the ethical standard of an entire business ecosystem to build a better world.