September 23, marked the second day of the United States Cybersecurity and Infrastructure Security Agency’s 3rd Annual National Cybersecurity Summit. The second installment of the virtual CISA summit explored digital transformation and catalysts for change in cybersecurity and supply chain security was high on the agenda.
The day’s sessions included a session on cybersecurity in the supply chain, which has become a prime target for hackers looking to infiltrate industrial environments.
“When we talk about digital transformation, I think a key pillar of that is the increasing interconnectedness of the systems and networks that collectively underpin the critical infrastructure community whose resilience we all care about,” said Daniel Kroese is CISA’s Deputy Assistant Director for National Risk Management. “Another reality of this interconnectedness is that it puts an increased emphasis on the importance of supply chain risk management. Increasingly software plays a critical part in the supply chain risk management conversation.”
Among the speakers on the second day was Trey Herr, Director of the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Atlantic Council.
“Software is everywhere. When we think about supply chains for technology, it’s difficult to extricate them from software,” Herr said. “The aggregate private exposure to software supply chain attacks is increasing. We’re seeing ever more intelligent and capable code placed into operational technology…so that attack surface for software supply chain attacks has been growing.”
The Atlantic Council recently released a report looking at software supply chain security. According to Herr, 27 percent of attacks and disclosures surveyed as part of the report directly targeted software updates.
“Despite all of its significance, software supply chain security remains an underappreciated domain of national security policymaking,” the report says. “While a physical system is rarely modified once it leaves the factory, software is continually updated, meaning that the supply chain for software is long and depends on users to trust their vendors and developers. This is a major source of national security risk in the threat posed to both public and private-sector organizations.”
Researchers at the Atlantic Council found at least 27 different state attacks against the software supply chain from state actors including from Russia, China, North Korea, and Iran as well as India, Egypt, the United States, and Vietnam. According to the report, the majority of cases surveyed did, or could have, resulted in remote code execution.
“Software supply chain attacks exploit natural seams between organizations and abuse relationships where users expect to find trustworthy code,” the report says. “These attacks are impactful; targeting the supply chain for code can help magnify the value of a breach. Software supply chain attacks can drive compromise deep into organization’s technology stack, undermining development and administrative tools, code-signing, and device firmware. These attacks have strategic utility for state actors and have been used to great effect, especially by Russian and Chinese groups.”
“Change is necessary to raise the cost, and lower the impact, of software supply chain attacks.”
Other topics covered on day two of the summit included accelerating innovation to address 5G network security requirements, public safety cybersecurity, and promoting digital transformation through innovation in legal frameworks.