The NY Times recently published an article about the Solarwinds cybersecurity incursions that affected government and commercial enterprises in December. A consensus is forming, among the cybersecurity monitors, that Russia’s S.V.R. intelligence service, a/k/a CozyBear, appears to be behind this attack. Two items contained in the NY Times article are particularly disturbing and noteworthy:
- SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had broad access to the Orion network management software that Russia’s agents compromised.
- None of the SolarWinds customers contacted by The New York Times in recent weeks were aware they were reliant on software that was maintained in Eastern Europe. Many said they did not even know they were using SolarWinds software until recently.
Which raises the question: “If customers knew their Solarwinds software was developed and maintained in areas where CozyBear would have easy access, would they trust the software enough to install it in their critical systems?”
This is the very essence of why we need to get serious about implementing software supply chain risk assessment controls that provide customers the ability to “peer inside” a software package to identify potential risks that may be present, before installation in a critical system. One, small, but very achievable step to help customers ascertain the trustworthiness of a software package is to require software vendors to provide customers with a  Software Bill of Materials (SBOM), which is analogous to an ingredients list found on food labelling, describing the contents (ingredients) of a software package.
Tools and techniques are available today that enable software vendors to produce SBOM’s as part of their software development life cycle (SDLC) ref: NTIA SBOM initiative: “Working group will focus on how to automate SBOM production and use. Initial goals are to catalog existing tools for SBOMs in the different identified standards (SPDX, SWID, CycloneDX) and develop a translator between these formats.”
Equally important and necessary are tools that enable a customer to use the vendor supplied SBOM data as input to a comprehensive software supply chain risk assessment, to determine the trustworthiness of a software object, before any attempt at installation in a critical system. Many of today’s cyber defense tools are reactive, monitoring network traffic and anomalous behavior, notifying a customer of potential cyber threats only after bad software has been installed in a system and performing its malicious deeds. Software supply chain risk assessment tools provide a proactive defense against harmful software, warning a customer of potential risks before it ever has a chance to be installed. Both reactive and proactive defenses are necessary to protect customers, however there has been very little attention given to proactive measures, i.e., software supply chain risk assessments; perhaps this will change now that CozyBear has sent a clear message that they can evade even the best reactive defenses, e.g., Einstein, with impunity. Â
SBOM’s and comprehensive software supply chain risk assessments are but one way to improve cybersecurity protections; there is much room for improvement in this area. Requiring an SBOM from a software vendor and using that SBOM to conduct a software supply chain risk assessment is just the first step in the very long journey ahead. But this proactive protection measure is achievable today at a relatively low level of effort and cost to both software vendors and their customers.