A lack of transparency and accountability are, without a doubt, the most substantial supply chain-specific security threats to the United States. These threats lead to underinformed end users and inequitable distribution of risk in global technology value chains.
The opacity and complexity of technology and its supply chains contribute to an environment where actors in the value chain are incentivized (and permitted) to externalize the risk (and cost) of doing business.
The ultimate risk owner — the end-user consumer — is rarely in control of (and often unaware of) the decisions being made in the supply chain that affect their risk posture. After all, the consumer rarely knows what's in the technology they rely upon, so they have little hope of appropriately managing the risks of using it.
The frantic scramble that occurred after the recent SolarWinds cyber incident, as companies and governments rushed to understand the extent of the incident and where the compromised software was installed, is an example of how little knowledge we have of what goes into our technology.
And this isn't a new phenomenon.
When the federal government banned Kaspersky software in 2017, agencies and companies were forced to spend thousands of hours combing through their technology stacks seeking the offending code because they didn't have visibility into what was in the software they use.
Complexity in technology is only going to increase. As such, it's vital that end users can get more thorough information about what is (or isn't) in the technology they consume, and technology providers are held more accountable for the content of the technology they deliver to consumers.
Impacts on Critical Infrastructure
This brings me to a more widespread concern that was once again highlighted with the recent Colonial Pipeline ransomware attack: how supply chain threats impact critical infrastructure.
Many things have changed since 2013, when the Secretary of Defense and the Administrator of General Services published a joint DoD-GSA report about improving US cybersecurity. One of the more significant changes is that the sophistication, frequency, and volume of cyberattacks has increased.
As the report states:
"The federal government and its contractors, subcontractors, and suppliers at all tiers of the supply chain are under constant attack, targeted by increasingly sophisticated and well-funded adversaries seeking to steal, compromise, alter, or destroy sensitive information."
Nobody can deny that critical infrastructure is on that list of targets. As critical infrastructure owners and operators increasingly rely on networked operational technology and the software that makes it work, they increase their attack surface and their risk of an incident like Colonial Pipeline.
The DoD-GSA report also points out that:
"Offshore sourcing has demonstrated its merit as a means to reduce costs, and as a result, most technology is produced in a global supply chain. Movement of production outside the US has also increased government concerns about foreign ownership, control, manipulation, or influence over technology used in or connected to critical infrastructure."
The threats to the technology supply chain from "adversaries (foreign governments, militaries, intelligence services, and terrorist organizations) and those seeking to advance their own cause (hackers and criminal elements)" have introduced significant new risk to critical infrastructure owners and operators in particular, the report continues.
Driving Transparency and Accountability
To the extent we increase transparency and accountability in technology supply chains, we enable better-informed consumers who will make better decisions and, as a result, will be better able to manage their risks.
The recent Biden administration Executive Order on Improving the Nation's Cybersecurity is by no means a panacea, but it does have the potential to drive increased transparency and accountability in software through requirements for testing and for providing a software bill of materials (SBOM).
In order to achieve the executive order's goals, SBOMs must provide enough detail to convey provenance, pedigree, and linkage that describes how the software is connected throughout the supply chain, along with attestations about steps in the production chain.
To succeed, the government's implementation of the executive order must address the complexity of modern distributed software development and provide transparency into both the provenance of code and the associated testing performed at each life-cycle stage. Meeting that outcome requires greater transparency into the software development processes employed by all stakeholders.