Plugging individual vulnerabilities as they are identified is not a winning strategy against sophisticated nation-state actors. This paper lays out a new principles-based approach to secure software supply chains.
Supply chain exploitations like the SolarWinds compromise should not be a surprise. Since 2015, there have been numerous supply chain attacks. Billions of dollars are spent annually to protect against cybersecurity and software security incidents, yet the number and consequences of these types of incidents continue to increase. The recent SolarWinds exploitation is likely the most damaging known software-enabled supply chain cyberattack to date.
Plugging individual vulnerabilities as they are identified is not a winning strategy against sophisticated nation-state actors. Although a variety of technical, policy, and regulatory actions are needed to begin to address obvious deficiencies, it is important to understand the larger causes of the susceptibilities that allow adversaries to so easily execute these types of asymmetric attacks at scale. To realize a true strategic roadmap, a new principles-based approach is needed that can be leveraged across short-, medium-, and long-term strategies.
This paper introduces a set of such principles and associated recommendations. Some of the key principles include the need to reduce fragility in our architecture designs through increased diversity; the need to assume permeability and layer security; and an acknowledgment of where current practices produce a fallacy of trust in platforms and services. Together these principles address critical shortcomings in existing approaches and provide a realistic foundation on which to gauge potential policy and strategy decisions.
These principles and recommendations also align with the Cyberspace Solarium Commission’s call to deny the adversary undue benefits through increased resilience, more nimble information sharing structures, and the reduction of systemic vulnerabilities.
Lastly, we must seriously consider extending existing and future security frameworks and considerations to commercial-off-the-shelf providers, who are simply in too many critical applications to be mostly discounted across multiple cybersecurity frameworks.