Threat actors are increasingly targeting mission-critical organizations in both ransomware attacks and novel software supply chain attacks. Whether by exploiting known vulnerabilities or taking advantage of other weaknesses in the ecosystem, the UK government is following the lead of the US presidential executive order on improving the nation's cybersecurity and stepping up their involvement to safeguard the digital economy.
Security issues driving the new policies across the US and UK:
In light of these ongoing successful exploits in the wild by threat actors who now attack critical assets, governments around the world are stepping up their involvement when it comes to ensuring the security of digital supply chains.
Over the last year, more and more businesses have started relying entirely on cyber systems to support a remote workforce, increase automation, and move their operations almost entirely online. This means that any attacks on digital goods and services are effectively becoming disruptions to the global economy.
As such, this week, The Homeland Security Committee introduced seven bipartisan bills in the House, five of which are focused strictly on strengthening cybersecurity, including a "Pipeline Security Act," and "Cybersecurity Vulnerability Remediation Act."
President Biden also signed an executive order into law last week. Specifically, one of the requirements of the Executive Order is that it focuses on developing guidelines to help organizations audit and rate critical software to prevent tampering in supply-chain attacks.
By targeting a software vendor, or a Managed Services Provider (MSP), attackers can cascade their malicious attacks downstream to hundreds of clients of the vendor. This happened when the GandCrab cybercrime gang hacked an MSP by exploiting a years-old vulnerability that may have locked thousands of their customers out with a ransomware attack.
More than ever, the need to vet software and secure services prior to their consumption on a wider scale is now being pushed by legislative action. This is expected to have tangible consequences for software vendors beyond government contractors.
"In today's world, too many organizations don't have a full picture of what's inside their software. Most aren't even looking," explains Sonatype's CMO Matt Howard.
"The fact is that fewer than 50% of companies today produce a full picture of what's inside their application, or a software bill of materials (SBOM) as a standard practice in software development. At the same time, breaches tied to open source software components used in applications impact 1 in 5 organizations annually."
Following efforts by the Whitehouse, the U.K. government has now announced that it seeks advice on defending against digital supply-chain attacks from organizations that either consume IT services, or MSPs that provide software and services.
Yesterday, the Department for Digital, Culture, Media, and Sport (DCMS) opened up a survey that will run for almost two months to invite thoughts from industry experts and tech organizations on stepping up supply-chain security across the UK.
The initiative is a part of the nationwide "cyber resilience" efforts set forth by the UK's National Cyber Security Strategy to safeguard businesses and organizations that increasingly rely on technology from cyber-attacks, and to strengthen digital supply-chain security.
"There is a long history of outsourcing of critical services. We have seen attacks such as 'CloudHopper' where organisations were compromised through their managed service provider," says Matt Warman, UK's Minister of Digital Infrastructure.
"It's essential that organisations take steps to secure their mission-critical supply chains – and remember they cannot outsource risk."
Depending on the feedback received over time, the UK government will evaluate supply-chain risks, review policies, and implement new guidelines and frameworks to strengthen specific areas of digital supply-chain security. It could also mean the introduction of new, country-wide legislation for software firms and IT service providers. These groups would have to adhere to specific instructions when delivering digital products and services.
As pioneers of open source security, Sonatype has time and time again remained on top of novel supply-chain attacks. This includes being aware of dependency confusion early on and detecting malware polluting various open source software (OSS) repositories, as we provide tangible solutions to the software supply chain security problem.
As such, we don't have one but multiple solutions - many of them offered at no cost, to help developers and organizations globally safeguard their digital supply-chains.
Sonatype wants your organization to be fast, smart, and safe while using the software supply chain to grow and innovate. As these regulatory requirements continue to evolve, we will maintain our services and products.
Sonatype will continue to try and keep companies and organizations safe from these and future attacks through developer-centric tools and services.
The above examples merely demonstrate the real-world solutions we have been delivering for years to keep developers and the OSS community protected from supply-chain threats.