The U.S. Government Accountability Office (GAO) stressed that, as a result of not fully implementing foundational security practices, federal agencies continue to face software supply chain threats and are at a greater risk of malicious actors exploiting vulnerabilities in the ICT supply chain. Such exploits cause disruptions to mission operations, harm to individuals, and theft of intellectual property.
Recent cybersecurity events, involving a software supply chain compromise of SolarWinds Orion, and the recent shutdown of a major U.S. fuel pipeline, highlight the significance of these threats. Malicious hackers may exploit vulnerabilities in the supply chain, leading to the compromise of the confidentiality, integrity or availability of an organization’s systems and the information they contain.
“We have ongoing work examining federal agencies’ responses to SolarWinds and any lessons that they have identified from the compromise. We plan to issue a report detailing our findings later this fall 2021,” the GAO observed in its report.
Last December, the GAO made 145 recommendations to 23 federal agencies. The GAO recommended that each of the 23 agencies fully implement these foundational practices. This month, the GAO received updates from six of the 23 agencies regarding actions taken or planned to address its recommendations. However, none of the agencies had fully implemented the recommendations. Until they do so, agencies will be limited in their ability to effectively address supply chain threats across their organizations, it pointed out.
In December, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring agencies to take action regarding a threat actor that had been observed leveraging a software supply chain compromise of the SolarWinds Orion enterprise network management software suite.
The National Security Council staff subsequently formed a Cyber Unified Coordination Group (UCG) to coordinate the government response to the cyberattack. The group took a number of steps, including gathering intelligence and developing tools and guidance, to help organizations identify and remove the threat. In April, the Deputy National Security Advisor for Cyber and Emerging Technology announced the deactivation of the Cyber UCG for the SolarWinds incident. According to the Deputy National Security Advisor, the group was deactivated after the UCG completed its initial surge efforts.
Following the actions taken by the UCG, in April U.S. intelligence agencies released a cybersecurity advisory that alleged ongoing Russian Foreign Intelligence Service (SVR) exploitation of five publicly known vulnerabilities. The advisory was released alongside the U.S. government’s formal attribution of the SolarWinds supply chain compromise and related cyber-espionage campaign.
In May, the Biden administration issued an Executive Order that was prompted, in part, by the compromise of the SolarWinds software supply chain. Among other things, the executive order directed the Secretary of Homeland Security, in consultation with the Attorney General, to establish a Cyber Safety Review Board to review and assess the threat activity.
While addressing software supply chain security, the executive order directed, among other things, the director of the National Institute of Standards and Technology’s (NIST) to publish guidelines that include criteria to evaluate the security practices of developers and suppliers of critical software and to provide guidance on identifying practices that enhance the security of the software supply chain.
Earlier in March, the GAO delivered an update that the federal government needs to move with greater urgency to improve the nation’s cybersecurity, as the country faces grave and rising cybersecurity threats. At that time, the agency said that the government needs to take 10 critical actions to address four major challenges that the agency identified in 2018, including securing federal systems and protecting critical infrastructure, privacy and sensitive data.