Launched in the fall of 2019, the Atlantic Council’s Cyber Statecraft Initiative’s Breaking Trust project seeks to catalog software supply chain intrusions and identify major trends and implications from their execution. Trust in software one did not build may be practically impossible, leaving the task of establishing and rigorously enforcing tolerable levels of distrust in others’ code. Working to improve the security of software and managing these levels of distrust is critical for private sector enterprise as well as sensitive defense and intelligence organizations. This project remains ongoing to highlight the need for a more coherent policy response together with action from industry and open-source communities.
Software supply chain insecurity
Society has a software problem. Our watches have file systems; combat aircraft come with software updates; and every organization from the Internal Revenue Service to an Etsy storefront relies on software to serve its users. No longer confined merely to computers, embedded software now controls the operation of complex power generators, medical hardware, and planetary scale datasets. A generation of Western defense systems relies on the benefits of Commercial Off-the-Shelf (COTS) technologies and the long chains of software that follow from high-bandwidth satellite data links to a growing dependence on open-source software (OSS) in machine learning applications and logistics networks. As one commentator put it, “software is eating the world.”
Despite all of its significance, software supply chain security remains an underappreciated domain of national security policymaking. While a physical system is rarely modified once it leaves the factory, software is continually updated, meaning that the supply chain for software is long and depends on users to trust their vendors and developers. This is a major source of national security risk in the threat posed to both public and private-sector organizations.
This project evaluates an open dataset of one hundred and sixty-one software supply-chain attacks and vulnerability disclosures collected from public reporting over the past ten years to show that software supply chain attacks are popular, impactful, and used to great effect by states. These attacks are impactful, giving attackers access to critical infrastructure. States like Russia, China, North Korea, and Iran attack the software supply chain as part of their offensive cybersecurity efforts. Our most recent report profiles one of these efforts, the Sunburst campaign, and draws lessons for policymakers and cybersecurity practitioners.
Policymaking for software supply chains
In-depth research
Report
Mar 29, 2021
Broken trust: Lessons from Sunburst
By Trey Herr, Will Loomis, Emma Schroeder, Stewart Scott, Simon Handler, and Tianjiu Zuo
The story of trust is an old one, but the Sunburst cyber-espionage campaign was a startling reminder of the United States’ collective cyber insecurity and the inadequacy of current US strategy to compete in a dynamic intelligence contest in cyberspace.
Breaking trust: Shades of crisis across an insecure software supply chain
By Dr. Trey Herr, William Loomis, Stewart Scott, June Lee
Software supply chain security remains an under-appreciated domain of national security policymaking. Working to improve the security of software supporting private sector enterprise as well as sensitive Defense and Intelligence organizations requires more coherent policy response together industry and open source communities.
Herr testifies to the Investigations and Oversight and Research and Technology subcommittees on improving the cybersecurity of software supply chains
On May 25, 2021, Trey Herr, Director of the Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security, testified to the House Science, Space, and Technology subcommittees on Investigations and Oversight and Research and Technology on improving the cybersecurity of software supply chains following SolarWinds.
Forscey in Lawfare: the cyber regulators are coming for the cloud
Today’s cloud computing industry is as important as it is complicated, a critical and opaque sector that undergirds the economy but that few people truly understand. Cloud services have become a pillar of digital society, supporting nonstop innovation. They also create interdependencies that generate a wellspring of concentrated risk. Ensuring that the various subsectors of […]
Herr testifies to Homeland Security and Governmental Affairs committee on responding to and learning from the Log4shell vulnerability
On February 8, 2022, Trey Herr, Director of the Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security, testified to the Senate Homeland Security and Governmental Affairs committee on responding to and learning from the Log4shell vulnerability.
John in Dark Reading: SolarWinds a catalyst for change and a cry for collaboration
The Sunburst campaign, which includes the SolarWinds incident, is not unique in its type or frequency. Supply-chain attacks have been happening more often over the past seven or so years. As adversaries continue to rapidly identify vulnerabilities, coupled with the world’s increased reliance on digital connectivity, we face mounting challenges in preventing, detecting, and responding […]
Sherman and Herr in Council on Foreign Relations: the US should make “leverage” the foundation of its cyber strategy
The SolarWinds incident spurred a flurry of debates about whether the U.S. Department of Defense’s 2018 “defend forward” strategy should, or could, have prevented the calamity. Putting aside that the Russian operation was cyber espionage—stealing data rather than denying, disrupting, degrading, or destroying systems—some of these arguments reflected an idea that the United States should […]
Nather in CSO: defining linchpins an industry perspective on remediating Sunburst
The Sunburst campaign underscored the inherent risk of technology to the public and private organizations who use it. It is important to examine what happened, look for opportunities to improve, and move forward. The Atlantic Council’s latest report “Broken Trust: Lessons from Sunburst” introduces the concept of “linchpins,” which it defines as “widely used software with significant permissions … on […]
Loomis in Lawfare: Defending fire a need for policy to protect the security of open source
Open-source software has served as an important catalyst for much of modern digital technology, scaling small innovations into widely used features in weeks instead of years. Yet the past few years have shown that open source is at risk. One of the most consequential cybersecurity incidents in recent memory, Log4j, exploited a vulnerability in a […]
Herr in Foreign Policy: Russia’s hacking success shows how vulnerable the cloud is
Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and U.S. federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments. A crucial part of the Russians’ success was their ability to move through these organizations by compromising cloud and local network identity systems to then access cloud accounts and pilfer emails […]
Herr in Lawfare: everything you need to know about the new executive order on cybersecurity
Yesterday evening, the Biden administration released its much-anticipated “Executive Order on Improving the Nation’s Cybersecurity.” It is tempting to yawn; every administration in recent memory has done something of this kind, after all, and not always to significant effect. But this executive order deserves your attention. It contains concrete measures tailored to respond to lessons […]
Handler, Schroeder, and Herr in War on the Rocks: cyber security as counter terrorism seeking a better debate
Earlier this month, a senior Justice Department official referred to ransomware as a potential “cyber weapon of mass destruction.” When hackers subsequently disabled the Colonial Pipeline, causing fuel shortages and disruptions along the East Coast, it seemed to validate this warning. But it would be a mistake for the policy establishment to double down on an outdated […]
Loomis and Scott in Lawfare: A role for the vulnerabilities equities process in securing software supply chains
On Jan. 14, something unusual happened—the National Security Agency (NSA) publicly announced that it had discovered a critical vulnerability (CVE 2020-0601) deep within Windows 10 and reported it to Microsoft for patching. The disclosure was lauded because of the bug’s severity; buried in a cryptographic library, it would have allowed opportunistic attackers to decipher encrypted […]
The Atlantic Council’s Cyber Statecraft Initiative, part of the Atlantic Council Technology Programs, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.
ERROR MESSAGE HEADINGERROR MESSAGE SUBHEADINGERROR MESSAGE CONTENTERROR MESSAGE INFO
Oops...
It looks like we're having a technical issue.
If refreshing the page doesn't resolve the issue you could try clearing the sites browser cache.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok
