Defending the nation’s critical infrastructure requires secure software and cyber systems. After recent high-profile breaches, MITRE is helping sponsors ensure that the software they use is trustworthy.
“Cyberattacks aren’t always apparent, but they’re occurring against hundreds of companies a day,” says MITRE Technical Fellow Craig Wiener. “It’s a perpetual game of spy versus spy.”
That’s what was happening when, in December 2020, the U.S. government discovered an ongoing cyberattack at SolarWinds, a company that develops and manages networks for government and private industry. A federal investigation revealed that SVR, the successor organization to the Soviet KGB, perpetrated the attack, giving Russians access to thousands of federal government user accounts.
Within days, Charles Clancy, senior vice president, chief futurist, and general manager of MITRE Labs, convened experts and resources to advise our federal sponsors on how to respond. Just a few weeks later, MITRE published the first in a series of white papers presenting immediate and long-term recommendations for improving the security of the the software supply chain and cyber ecosystem.
Many of these recommendations were included in President Biden’s Executive Order (EO) 14028, which took concrete steps towards defending government agencies against persistent cyber threats and improving software supply chain security.
A Persistent and Opportunistic Adversary
A review of activity within SolarWinds’ process indicates suspicious activity as early as 2019, though the scope of the breach wasn’t evident until December 2020.
Bob Martin, software and supply chain engineer, says that even today “some people will debate whether we know exactly how the attack was accomplished. But we know that the integrity of the SolarWinds software creation process was disrupted.”
“This was an incredibly sobering event,” says Joe Ferraro, MITRE cyber division chief engineer within the National Security Engineering Center and co-author of the white paper series. “It’s forced everyone to challenge their assumptions. It will transform the way we approach these critical infrastructure software solutions.”
In fact, in January 2022 President Biden signed a Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems that builds on the 2021 executive order, underscoring the true sense of urgency this challenge requires. It establishes goals and expectations for owners and operators of critical infrastructure and raises the bar for the cybersecurity of the country’s most sensitive systems.
Securing the Software Creation Process
Software is built using lines of code—a mix of custom, commercially available, and open-source. Cyber threat actors exploited weaknesses in the software-building process, inserting code that later gave them access to the networks of SolarWinds customers. The attack succeeded, in part, because it employed methods that cyber behavior-tracking resources weren’t programmed to detect.
In response to the SolarWinds attack, MITRE proposed a framework that bolsters software supply chain integrity by:
- Tracking the composition and provenance of every component of a software product.
- Incorporating cryptographic code signing and a validation infrastructure robust enough for today’s complex software supply chain.
- Requiring systems compiling and distributing software and updates meet higher levels of assurance.
MITRE also recommended implementing a software bill of materials (SBOMs) to track every alteration of code. The White House Executive Order requires SBOMs for both unclassified and classified national security systems. Weiner says the Department of Energy has embarked on using SBOM for critical infrastructure related software.
“The Executive Order has changed how the federal government procures software and has the potential to change the way industry and marketplace itself will work in the future,” Weiner says.
We worked with the National Telecommunications and Information Administration (NTIA), a division within the National Institute of Standards and Technology, and now with the Cybersecurity & Infrastructure Security Agency (CISA), a part of the Department of Homeland Security (DHS), to carry all of these efforts forward.
Martin and others from MITRE are also working with the Consortium for Information & Software Quality, an industry leadership group, to create standards for SBOMs.
Attacking the Problem from Multiple Angles
Meanwhile, in support of the Department of Homeland Security, a MITRE team created the Software Assurance Platform (SwAP), a comprehensive supply chain risk management tool. It assesses the integrity of code libraries that software vendors use, to provide an overall view of software vulnerability risk.
Software supply chain risk management is difficult, says Emily Frye, director of cyber integration. “MITRE is in an ideal position to bring together the core capabilities in SwAP and make risk management easier for government and industry.”
Ferraro says the DoD has begun to take steps to change to its software acquisition process, but “this will require a holistic change in how we procure software, what we expect from software producers, and most importantly, how they demonstrate that the software is trustworthy.”
Martin notes that industry and academia will want the same assurances. MITRE is at the forefront of this effort, “because our sponsors and partners require this kind of software integrity, and we can't afford to have it done after the fact. It must happen during software creation.
“MITRE understands the needs that exist across many different domains, from the military, the intelligence community to aeronautics and critical infrastructure. We know that industry needs these kinds of things to happen, too.”
Combatting Emerging Cyber Threats Requires Vigilance
More than one year after the SolarWinds attack became public, MITRE is working with government partners to implement safeguards that make software tamperproof. We are also at the front lines of addressing new cyber threats as they emerge.
Given the persistence of hackers associated with foreign governments and criminal ransomware groups MITRE’s work is more critical than ever. Shortly before the 2021 winter holidays, a new vulnerability in software known as Log4j threatened huge swaths of global networks.
Log4j, distributed free by the Apache Software Foundation, is on millions of computers. Cyber attackers could use the vulnerability to insert malicious code on just about any targeted computer. The security of everything from consumer electronics to government and corporate systems is at risk, DHS’s CISA reported.
Recommendations in the original Executive Order, and the more recent National Security Memorandum, are designed to prevent these types of breaches. For example, an SBOM analysis of the code might have detected the Log4j vulnerability before it became so broadly exploited. And once detected, the vulnerability would have been broadly among operators of government and civilian networks, in compliance with the EO.
Our researchers and technical experts are drafting a series of recommendations to address the endemic, long-term risks of the Log4j vulnerability. These include remediation, an assessment of the broader threat surface, and near and long-term actions to manage risk.
As a key partner to the government, industry, and others in the cybersecurity community, MITRE continues to work at the forefront of solving problems for a safer cyber world.