Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

// // //
6/29/2021
01:00 PM
Emile Monette
Emile Monette
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv

Technology's Complexity and Opacity Threaten Critical Infrastructure Security

Addressing the complexity of modern distributed software development is one of the most important things we can do to decrease supply chain risk.

A lack of transparency and accountability are, without a doubt, the most substantial supply chain-specific security threats to the United States. These threats lead to underinformed end users and inequitable distribution of risk in global technology value chains.

Related Content:

Tech Vendors' Lack of Security Transparency Worries Firms

Special Report: Building the SOC of the Future

New From The Edge: 7 Powerful Cybersecurity Skills the Energy Sector Needs Most

The opacity and complexity of technology and its supply chains contribute to an environment where actors in the value chain are incentivized (and permitted) to externalize the risk (and cost) of doing business.

The ultimate risk owner — the end-user consumer — is rarely in control of (and often unaware of) the decisions being made in the supply chain that affect their risk posture. After all, the consumer rarely knows what's in the technology they rely upon, so they have little hope of appropriately managing the risks of using it.

The frantic scramble that occurred after the recent SolarWinds cyber incident, as companies and governments rushed to understand the extent of the incident and where the compromised software was installed, is an example of how little knowledge we have of what goes into our technology.

And this isn't a new phenomenon.

When the federal government banned Kaspersky software in 2017, agencies and companies were forced to spend thousands of hours combing through their technology stacks seeking the offending code because they didn't have visibility into what was in the software they use.

Complexity in technology is only going to increase. As such, it's vital that end users can get more thorough information about what is (or isn't) in the technology they consume, and technology providers are held more accountable for the content of the technology they deliver to consumers.

Impacts on Critical Infrastructure
This brings me to a more widespread concern that was once again highlighted with the recent Colonial Pipeline ransomware attack: how supply chain threats impact critical infrastructure.

Many things have changed since 2013, when the Secretary of Defense and the Administrator of General Services published a joint DoD-GSA report about improving US cybersecurity. One of the more significant changes is that the sophistication, frequency, and volume of cyberattacks has increased.

As the report states:

"The federal government and its contractors, subcontractors, and suppliers at all tiers of the supply chain are under constant attack, targeted by increasingly sophisticated and well-funded adversaries seeking to steal, compromise, alter, or destroy sensitive information."

Nobody can deny that critical infrastructure is on that list of targets. As critical infrastructure owners and operators increasingly rely on networked operational technology and the software that makes it work, they increase their attack surface and their risk of an incident like Colonial Pipeline.

The DoD-GSA report also points out that:

"Offshore sourcing has demonstrated its merit as a means to reduce costs, and as a result, most technology is produced in a global supply chain. Movement of production outside the US has also increased government concerns about foreign ownership, control, manipulation, or influence over technology used in or connected to critical infrastructure."

The threats to the technology supply chain from "adversaries (foreign governments, militaries, intelligence services, and terrorist organizations) and those seeking to advance their own cause (hackers and criminal elements)" have introduced significant new risk to critical infrastructure owners and operators in particular, the report continues. 

Driving Transparency and Accountability
To the extent we increase transparency and accountability in technology supply chains, we enable better-informed consumers who will make better decisions and, as a result, will be better able to manage their risks.

The recent Biden administration Executive Order on Improving the Nation's Cybersecurity is by no means a panacea, but it does have the potential to drive increased transparency and accountability in software through requirements for testing and for providing a software bill of materials (SBOM).

In order to achieve the executive order's goals, SBOMs must provide enough detail to convey provenance, pedigree, and linkage that describes how the software is connected throughout the supply chain, along with attestations about steps in the production chain. 

To succeed, the government's implementation of the executive order must address the complexity of modern distributed software development and provide transparency into both the provenance of code and the associated testing performed at each life-cycle stage. Meeting that outcome requires greater transparency into the software development processes employed by all stakeholders.

Emile Monette is the Director of Value Chain Security at Synopsys. His expertise centers on the nexus of cybersecurity, supply chain risk management, and federal procurement. Emile has unique experience in the fields of cybersecurity and procurement in the federal government, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1172
PUBLISHED: 2023-03-17
The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the full name value in versions up to, and including, 21.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that w...
CVE-2023-1469
PUBLISHED: 2023-03-17
The WP Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pec_coupon[code]’ parameter in versions up to, and including, 2.2.8 due to insufficient input sanitization and output escaping. This makes it possible for authenti...
CVE-2023-1466
PUBLISHED: 2023-03-17
A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0. It has been rated as critical. This issue affects the function view_student of the file admin/?page=students/view_student. The manipulation of the argument id with the input 3' AND (SELECT 2100 FROM (SELECT(...
CVE-2023-1467
PUBLISHED: 2023-03-17
A vulnerability classified as critical has been found in SourceCodester Student Study Center Desk Management System 1.0. Affected is an unknown function of the file Master.php?f=delete_img of the component POST Parameter Handler. The manipulation of the argument path with the input C%3A%2Ffoo.txt le...
CVE-2023-1468
PUBLISHED: 2023-03-17
A vulnerability classified as critical was found in SourceCodester Student Study Center Desk Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/?page=reports&date_from=2023-02-17&date_to=2023-03-17 of the component Report Handler. The manipula...