Today, most software products rely on thousands of prewritten packages produced by vendors or drawn from open source libraries. The most commonly used of these third-party software supply chain components are highly prized targets for cyber criminals. If attackers were to infiltrate them, they could compromise thousands or even millions of companies across industries and around the world. The good news is that firms don’t have to feel helpless; they can rely on others outside the firm to unearth vulnerabilities. Corporate leaders and IT teams can take three steps to prioritize and remediate vulnerabilities and forestall supply chain cyberattacks.
In July, REvil, a Russian cybercriminal gang, was able to shut down the IT systems of 800 Swedish grocery stores, a couple of New Zealand schools, two Maryland town governments, and around a thousand other enterprises around the world. The attackers discovered that Kaseya, a software used by IT service contractors to remotely manage corporate networks, had numerous cybersecurity vulnerabilities. By attacking Kaseya, REvil gained a backdoor into the IT systems of the many organizations the software supported. Kaseya was thus a potent attack vector.
We should now turn our attention to linchpin technology services and products that, if compromised, would have similarly far-reaching impacts. Today, most software products rely on thousands of prewritten packages produced by vendors or drawn from open source libraries. The most commonly used of these third-party software supply chain components are highly prized targets for cyber criminals. And they are vulnerable. A 2020 audit conducted by Synopsys found that 49% of commercial codebases use open source components that have high-risk vulnerabilities. If attackers were to exploit these vulnerabilities, they could compromise thousands or even millions of companies across industries and around the world.
This is not idle speculation. Sophisticated threat actors have already targeted widely used — and poorly secured — supply chain components. SVR, a Russian intelligence agency, implanted malicious code into a software update of SolarWinds, a cloud management software. This furnished SVR with a potential attack vector into the 18,000 enterprises and government agencies that dutifully installed the update.
The Russians are not alone. Paul Nakasone, the commander of U.S. Cyber Command, told Congress that nation states are increasingly engaging in “best practices” to target supply chain vulnerabilities. The security firm Sonatype estimated that there were over 400% more supply chain attacks between July 2019 and March 2020 than in the previous four years combined.
Once an adversary breaks into an organization’s network, they can cause serious financial and reputational damage. Many businesses wouldn’t survive the fallout. A Verizon study found that 60% of small- and medium-sized enterprises go out of business within six months of a cyberattack. Consequently, it’s incumbent on firms to mitigate their risk.
To better understand the threat and how it’s currently being managed, we conducted semi-structured interviews with executives of small- and medium-sized businesses and with those in the trenches of supply chain remediation: vulnerability coordinators at CERT/CC, a government-funded organization tasked with fixing critical cybersecurity flaws, and the chief security officers of technology companies.
Many of the corporate leaders we talked to were strikingly fatalistic about the challenge. One CEO of a small-cap company confessed that he didn’t think his business could ever secure its supply chain. This instinctual response makes sense. Synopsys’ report found that commercial codebases employ an average of 445 open source components. Few organizations have the expertise — and almost none have the bandwidth — to hunt for the cybersecurity vulnerabilities of their multitudinous third- and fourth-party vendors.
But the good news is that firms don’t have to feel helpless; they can rely on others outside the firm to unearth vulnerabilities. Over the last several years, the growing ecosystem of security researchers and information-sharing agencies has identified thousands of critical vulnerabilities before they were exploited by malicious actors. Businesses simply need to stay informed and react with a sense of urgency to the threats that may impact them.
Businesses will soon have access to even more tools that will help them quickly understand if they can be compromised by a vulnerability. Currently, few vendors release software bills of materials (SBOMs), which list the supply chain components embedded in their products’ codebase. But a recent Biden administration executive order requires all technology vendors that contract with the federal government (including the most ubiquitous software manufacturers) to publicly release SBOMs. This will bring much needed transparency to the software supply chain.
Instead of finding bugs, businesses need to quickly prioritize and patch vulnerabilities. Unfortunately, many aren’t. A report by HP-Bromium found that many companies had failed to remediate years-old vulnerabilities. Businesses that fail to fix vulnerabilities for which a patch exists are at acute risk. As Dmitri Alperovitch, co-founder of leading cyber incident response firm CrowdStrike, has noted, many criminal groups reverse-engineer patches to discover vulnerabilities and exploit insecure organizations.
The good news is that this problem isn’t insurmountable, even for smaller companies. Corporate leaders and IT teams can take three steps to prioritize and remediate vulnerabilities and forestall supply chain cyberattacks.
IT managers should rely more on automated tools to fix simple vulnerabilities.
Online code repository GitHub has developed “automated robot code” that identifies and fixes users’ simple vulnerabilities with one click of a button. With SBOMs becoming prevalent, similar services will be developed.
However, few businesses have implemented these novel tools into their IT workflows. Only 42 of the 1,896 GitHub users who were contacted about one vulnerability accepted the automated patch. This must change.
Businesses should conduct cost-benefit analysis for vulnerability patching.
A lot of vulnerabilities won’t be so easy to remediate. Many products can only be patched when their systems are offline. Fixing every vulnerability is therefore impractical.
Thankfully, it isn’t necessary. Not all vulnerabilities are created equal: Some are very costly to weaponize and are thus unlikely to be exploited. Fortinet has reported that only 5% of vulnerabilities were exploited against more than 10% of monitored organizations. Just as a busy hospital triages patients, IT teams can triage vulnerabilities. Exploitable and impactful vulnerabilities must be fixed quickly. Businesses can wait until scheduled updates to remediate less-urgent vulnerabilities.
Businesses can use newly created metrics to triage vulnerabilities. For instance, the Exploit Prediction Scoring System (EPSS), developed by a team of cybersecurity experts and software vendors, estimates the probability that a vulnerability will be exploited based on its inherent characteristics. This tool will help risk managers determine whether the cybersecurity benefits of fixing a vulnerability outstrip the disruptions that remediation will cause.
Procurers should demand that critical technology vendors implement “hot patching.”
Some technologies, such as the industrial control systems that run factories and the software that manages power grids and water distribution networks, are so pivotal that they cannot fail. Businesses want them to be free of any known vulnerability, regardless of how exploitable they think the vulnerability is.
But these systems must also always be available. If they needed to be shut down to be patched, cybersecurity updates would be infrequent, because businesses and governments can rarely afford to take them offline.
Thus, businesses should demand that their vendors implement hot patching systems, enabling them to deploy patches without rebooting their software. While implementing this functionality may increase costs, it will also ensure that businesses don’t have to choose between cybersecurity and availability.
To be sure, these measures will not protect companies against all software supply chain risks. Like any imperfect test, EPSS produces false negatives: It sometimes erroneously concludes that potent vulnerabilities are less urgent. Moreover, our suggested security practices will not protect companies against malicious actors who leverage vulnerabilities that are not discovered by the cybersecurity community until they’re exploited in an attack. Still, by taking these steps, companies will be able to repel the majority of attacks, which weaponize known and exploitable vulnerabilities. Businesses don’t need to feel powerless — they can manage this risk.