Broken trust: Lessons from Sunburst
The story of trust is an old one, but the Sunburst cyber-espionage campaign was a startling reminder of the United States’ collective cyber insecurity and the inadequacy of current US strategy to compete in a dynamic intelligence contest in cyberspace. This report examines seven similar supply-chain attacks with comparable methodologies, alongside a breakdown of policy and industry mistakes in the Sunburst campaign. It provides three groups of recommendations to improve US competitiveness in cyberspace and to better secure users.
Breaking trust: Shades of crisis across an insecure software supply chain
This report leverages one hundred and fifteen software supply-chain attacks and vulnerability disclosures collected from public reporting to identify five trends in software supply chain attacks over the past decade. Software supply chain attacks provide huge value for attackers and remain popular. It offers three clusters of recommendations to address, mitigate, and counter them.
About the project
Society has a software problem. Our watches have file systems; combat aircraft come with software updates; and every organization from the Internal Revenue Service to an Etsy storefront relies on software to serve its users. No longer confined merely to computers, embedded software now controls the operation of complex power generators, medical hardware, and planetary scale datasets. A generation of Western defense systems relies on the benefits of Commercial Off-the-Shelf (COTS) technologies and the long chains of software that follow from high-bandwidth satellite data links to a growing dependence on open-source software (OSS) in machine learning applications and logistics networks. As one commentator put it, “software is eating the world.”
Despite all of its significance, software supply chain security remains an underappreciated domain of national security policymaking. While a physical system is rarely modified once it leaves the factory, software is continually updated, meaning that the supply chain for software is long and depends on users to trust their vendors and developers. This is a major source of national security risk in the threat posed to both public and private-sector organizations.
This project evaluates an open dataset of one hundred and thirty-eight software supply-chain attacks and vulnerability disclosures collected from public reporting over the past ten years to show that software supply chain attacks are popular, impactful, and used to great effect by states. These attacks are impactful, giving attackers access to critical infrastructure. States like Russia, China, North Korea, and Iran attack the software supply chain as part of their offensive cybersecurity efforts. Our most recent report profiles one of these efforts, the Sunburst campaign, and draws lessons for policymakers and cybersecurity practitioners.