What it Means for Your Digital Relationships and Your Software Bill of Materials
Following the February executive order concerning supply chain risk management, on May 12, 2021, the White House issued one of the most robust, far-reaching directives on improving cybersecurity monitoring and response at the U.S. federal government level. The Biden administration’s Executive Order responds to meddling in our elections, cyber espionage by foreign governments, ransomware attacks, intellectual property theft, and other cybercrimes by criminal gangs.
With operational resilience on everyone’s radar, the news comes at a sensitive time. The order provides instructions to various government agencies focusing on the software supply chain. It also includes a directive to develop and use a Software Bill of Materials (SBOM). The order mandates the adoption of SBOM by large government supply chains and will change how software is supplied to U.S. federal agencies in the years ahead. The new regulations, one can assume, will also influence commercial and international markets to adopt SBOM standards set by the U.S.
The move by the Biden administration – and its focus on the SBOM — should be heartily embraced by industry. A huge unavoidable challenge to today’s “fragile’ supply chains that extend around the world is the simple fact that both physical (hardware) product and software are made from many components from many suppliers – permitting unwanted access by unauthorized actors (such as nation-states and criminal gangs), leading to massive disruption, intellectual property theft, extortion and beyond. The response must be to ensure that components (physical and/or digital) are trustworthy (uncompromised) and come from vetted suppliers.
A Government Call to Action
For decades, in the physical supply chain realm, companies conducted inspections and verification probes into real and potential risks stemming from the product, component, and factory levels; now, with the White House cyber EO, we have a US government call-to-action for the private sector to do the same kind of inspections and probes into the subcomponents of the software we all have been using for decades. SBOMs – at appropriate levels of transparency, depth and accuracy – allow us to identify all the different developers of the software that we are using — and any attendant risks.
Before we dive into why the SBOM directive in the Biden cyber EO is a highly laudable move – providing rail-guards for preventing compromised components from entering digital supply chains – let’s provide some background.
What Is a Software Bill of Materials?
A software bill of materials (SBOM) is a hierarchical and machine-readable inventory of all open source and third-party components present in a codebase. It also contains details about the relationships between the software elements, version information, and patch status.
To create transparency and standardization across software supply chains, the National Telecommunications and Information Administration (NTIA) is leading an effort to develop national SBOM guidelines and formats. The effort began ahead of the expected executive order. Expect much of the government’s SBOM practices to be based on the NTIA’s work.
The Benefits of Adopting SBOM
The expected benefits and use cases for SBOMs are numerous since they affect all software development phases, both for the creator and consumers.
Software creators can use a SBOM to replace outdated development tracking tools and manual spreadsheets. Most software today uses multiple open-source libraries bundled into the final product. Tracking open-source software is especially challenging for the software developer. It involves a vastly diverse array of suppliers, ranging from huge, well-funded organizations providing updated software to volunteer-supported projects for decades-old software. By creating a well-documented set of software components, producers can simplify development and patching and reduce costs.
New Cyber Threats in Software Supply Chain Security
Supply chain security was traditionally concerned with counterfeiting and other supplier compromises. Recently there has been a greater focus on third-party and supply chain risk management. This includes products compromised at the factory or software-development level, that have been purchased, and deployed into the network. After installation, the compromised nodes survey the network. They then contact the command-and-control system owned by the cybercriminals. This lets them know their product is online.
Cybercriminals, often nation-state bad actors, exploit this compromise to gain access to the entire network. The SolarWinds compromise—engineered by Russian state agencies—is a well-known example of this type of highly proliferated attack. More of these attacks have occurred with other vendors. Since they have been successful, cybercriminals will continue to exploit them.
These “supply chain” cyber-attacks work by exploiting a software component of a built product (i.e., an innocuous-seeming software upgrade). They are distinct from traditional perimeter-penetration hacks. It is much easier to compromise a library or third-party software bundled into the main software build. The compromise can be made on-site or even at the source. The practice of development teams using open-source or third-party software is very common. It is routinely used to for tasks like encryption or data input to streamline development.
Unfortunately, open-source software may have vulnerabilities and weaknesses that are unmitigated, given the open-source software team’s lack of resources. The Heartbleed bug in the open-source OpenSSL cryptographic library is but one example. OpenSSL was included in thousands of software solutions but maintained by minimal part-time staff. It was difficult to correct and replace when researchers found a flaw in the OpenSSL cryptographic library. Cybercriminals clued into the flaw, scanned for this version of OpenSSL on deployed software, and exploited it where possible.
To resolve these issues, developers need to identify the exact version of the software library, open-source code, and tools. SBOMs will replace manual processes to collect and manage this information. This will happen because of the new responsibilities the US federal government has placed on software solution providers.
The Future of SBOM: Fully Assess and Monitor Software Supply Chains
SBOM integration will enable developers to identify and manage the vendors providing software in their software supply chains. Without SBOM, much of this information would not be available. The data provided by the mandated SBOMs will allow organizations to create detailed maps of the extended software supply chain for the first time, immensely improving supply chain risk management.
That is just the beginning. With a map of the software supply chain, organizations can assess each software provider’s risk and monitor impact events. This can be done across a host of factors, from cyber hygiene to financial risk. Development teams must make decisions to replace an open-source solution if the provider goes out of business or stops providing updates. Financially weak vendors may be a leading indicator of potential risk. Another indicator could be where the software vendor is located. This would be a form of geopolitical, governance, or compliance risk. And the biggest issue could come down to seeing the announcement of another breached vendor and not knowing if that vendor or its customers are in your supply chain.
SBOM–as a new standard developed in the months ahead—will launch a dramatic change to traditional software supply chain risk assessment. This new methodology will provide real-time, highly accurate data to cybersecurity and procurement teams to proactively reduce risk. At the enterprise level, SBOM and the awareness it brings will reduce costs and speed development.
Operational Resilience and Software Supply Chain Risk Management
Governments and businesses are waking up and responding to a new world of risk. Planning and visibility—those are the keys to resilience, agility, compliance, and good business. The Interos cloud solution gives you an instant and continuous view of every connection in your digital and physical supply chains. With the power of artificial intelligence and machine learning, any organization can create a living map of their business ecosystem, including SBOM elements, so they can monitor actions in real time, model scenarios, and predict outcomes. Learn more here, or contact us for a demonstration.