Originally published on Forbes, April 29th, 2021
As awareness regarding the widespread devastation caused by supply chain attacks increases, one thing is becoming clear: An organization’s cybersecurity defenses are only as strong as its weakest link. Successful supply chain attacks are considered especially dangerous because of their high potential for widespread contagion. With just one successful breach of a single vendor component, hackers could gain access to all of the organizations that make use of that vendor’s supply chain.
New security events taking over the latest news cycles — such as the SolarWinds event, which extended beyond the SolarWinds software, and recent attacks on Microsoft’s widely used Exchange Server — are finally putting a spotlight on the inherent cybersecurity challenges that prevail in securing a complex supply chain.
Software is Eating the World
Many of today’s products make extensive use of software to power their innovation and connect them to the internet. The Internet of Things (IoT) is introducing software into our consumer products, empowering capabilities that were considered science-fiction just a few short years ago.
Self-driving cars use software to manage nearly every system. By some estimates, it’ll take 1 billion lines of code to get a car out and about without a driver along for the ride. The latest medical devices and interactive, remote-controlled hospital facilities also make heavy use of software, with complex devices like MRIs requiring more than seven million lines of code.
The Supply Chain Challenge
The software that powers these modern IoT products are sourced from myriad different suppliers. Nearly every one of them also leverages their own subsuppliers, who, in turn, may also have their own suppliers. When the product finally reaches the end user, it has been loaded with components developed by many different vendors.
Today’s original equipment manufacturers (OEMs) and device manufacturers are, in effect, integrators. They receive the software that governs their devices from the different vendors that develop them. They then assemble these software components within the actual device hardware, adding their own code to tie everything together in the finalized product.
This process becomes an acute problem once a breach has been identified. Though the onus is typically on the device manufacturer, only the supplier who introduced the vulnerability into the product can fix it and eliminate the threat. However, even if the vulnerability is known to all, there’s no way of knowing which supplier introduced it in the first place. It is akin to finding a virtual needle in a binary haystack. There simply is no branding or manufacturer label on a line of code.
There currently exists no industry standard or regulations in regards to dealing with the inherent software supply chain risks described above. However, there are different approaches currently being discussed throughout the industry focusing on the best way to mitigate these risks.
The Technological Approach
Imagine a world where you knew who was responsible for each line of code.
In this world, every vulnerability would be instantly traced back to the supplier who introduced it. The supplier would then quickly fix the vulnerability, allowing the vendor to send out a security update across all its deployed products — before it even escalates into a problem.
This isn’t as far-fetched as it sounds. Recent advancements in cyber digital twins (CDT) technology enable suppliers to deliver code in binary format with the addition of metadata needed for cybersecurity analysis clearly delineating its origins. With CDTs, every line of code in your supply chain includes a vendor name and contact info such as an email address. Have you ever found a vulnerability somewhere in your code but had no idea how to even start fixing it? With CDTs, you can easily reverse-track the code to get to the contact info of the developer who needs to fix it.
CDTs empower instant traceability and hence, accountability; in the unfortunate event that a breach does occur, finding the supplier who introduced the vulnerability is a simple matter of referring to the CDT. With CDTs, ensuring that IoT-powered devices and hardware are kept secure in the face of relentless cyber risks is a quick and painless process that delivers a much safer product.
The Business Approach
The existing supply chain methodology offers zero ability to trace vulnerabilities back to the individual supplier that developed them. However, by upending the existing paradigm in which vendors do not voluntarily share information, we can gain transparency and traceability.
A cross-industry initiative by OEMs could rewrite the rules of the game. By making the issue a deal-breaker, OEMs could (and some already do) force vendors’ hands and make them provide all the metadata needed for cybersecurity analysis — without revealing proprietary source code — as part of their delivery. This would empower instant accountability and traceability in the event a new vulnerability is discovered.
The Regulatory Approach
In our cutting-edge, hyperconnected reality, government regulations are always three steps behind the market. While most laws currently put the responsibility of ensuring software security on the OEMs, this interpretation could be changed to reflect the difficulties of ensuring this in a software supply chain. This change would place the onus squarely on the software vendors. They would be required, by law, to ensure that the software they deliver is always secure and cooperate with one another to make sure that the connections between their components don’t introduce any new vulnerabilities.
You need to know your product. Dig into the bits and bolts of the software that powers your product. At the end of the day, your customers trust you to keep their products safe and secure, so don’t assume that anyone else can or is doing it for you.
You need to think outside the box. In this brave new interconnected world, it’s critical that you look beyond familiar processes that weren’t necessarily invented for your use cases, just like the concept of digital twins now adopted by security experts. Don’t be afraid to adopt new ways of doing things into your processes, especially if these concepts have been successful in other fields.