Software Supply Chains: Turns Out All You Need to Trust is Caffeine and Cats
Episode One
Need some audio?
Listen to our theme music while you read or listen to an audio dramatization of the episode on Apple Podcasts and Spotify!
Chapter 1
Hundreds of years ago, humanity took its first steps into the stars. On trembling toddler legs, a cobbled collection of nations and conglomerations stretched across the solar system, exploring the mysteries of space and inhabiting new worlds.
On Earth’s moon, in the center of the Mare Serenitatis, stands the Habitable Object on the Surface of The Lunar Landscape, the oldest gateway from Earth to the stars and the only moon construct still in operation. In the center of that port, nestled among the central mining operations and the robotics engineering labs, lies its true heart – the food court.
The food court was designed in a retro style, meant to harken back to the late 20th century ‘mall’ aesthetic that had been in trend again when the base was built. The design was, rather unfortunately, chosen by the son of one of the bases’ founders – a boy with rather more confidence than talent. To make matters worse, as the first space port built off-world, its infrastructure was certainly nowhere near what could be described as state of the art by contemporary standards. The once pristine floors were tracked with marks left by decades of wheeled sneakers and chunky boots and the furniture upholstery’s once brilliant geometric explosion had worn to a near solid burnt orange wash. Apparently, it just wasn’t in the budget to improve the only food court on the entire surface of the moon.
Even a small portion of this budget would have gone a long way toward rejuvenating the small, outdated coffee shop that sat in the back corner. Caffeine Crater, despite its appearance, was bustling with groggy customers seeking the sweet relief of a double fudge frappuccino before heading off to the daily grind. The only person in the entire food court who seemed genuinely happy to be there was a small, rotund man weaving among the crowds holding a truly herculean number of coffee mugs.
Ernest, wearing a bright blue apron and perpetual smile, returned behind the counter and only flinched for a second when robotic arms yanked the dishware from his arms and slotted each into the dishwasher in a flurry of purple and teal metal.
His coworker Zafira, who was currently glaring at a woman stuck between three possible orders – narrowed down from her original seven – turned to him, “Could you please stop smiling? Your optimism is hurting my eyes.”
He laughed, “Nope! Like my pops always said, ‘Good things come to those who smile.’”
Zafira tried, and failed, to maintain her annoyance, “Oh, just get back to work.”
The two worked through the morning rush, grateful that the most eventful occurrence of the morning was when one of their regulars stopped by crying that his favorite tabby at the cat café didn’t cuddle with him that morning.
Ernest sighed as he wiped down the last table, “it really is beautiful here.”
Zafira looked at him askance. “Beautiful?” she asked, “Do you mean the dusty ‘island’ full of worn-out fake plants or the neon chaos of cables all over the walls?”
“Both,” Ernest answered, “but really what I love most is that window.”
He gazed over the convex curve of floor to ceiling windows that looked out over the eerie lunar surface, its stark desaturation such a shock after the light and energy of the food court.
“Yea, not gonna lie, that window is stellar. Though, it used to be less gross.” Zafira said.
“What do you mean?”
“Well, like 10 years ago this intergalactic ship came back from who knows where and those stupid alien fish things had stowed away in their cargo hold.”
Ernest paid closer attention to the silver-blue flurries that danced across the vista, reflecting the station’s artificial light. What he had taken for a strange effect of light playing off the lunar surface were in fact winged fish-like creatures with protruding eyes and large sucker mouths. He then noticed that a large number of them were in fact chomping away on the metal supporting structure of the window, dripping alien-saliva down the glass.
“Oh no! They’re going to eat through the glass!” he said, pointing at the creatures through the window.
“Don’t start spinning out, they’re always doing that. How has it taken you two months to notice?”
Ernest smiled sheepishly.
“No one really knows why they do that. My money is on those poor aliens being so confused that they’re just copying the people,” Zafira said, pointing at a nearby eruption of used coffee cups and discarded food wrappers at whose center sat a group of people happily chomping away at their morning meals.
“That’s not very nice.”
“Yea, yea, well screw that smile back in bud, our second wave of ‘fish’ is incoming.”
The second wave of customers, whose flexible work schedule allowed them to actually stop and taste the coffees and fritters that they ordered, entered at a more leisurely pace.
Back in the swing of things, Zafira took orders with practiced efficiency, only once having to stop once when a customer ordered ‘incorrectly’.
“No, no, no, that is too boring. You look like a man who wants to be daring with his order.” She turned, “Ernest, get this man an egg white double mocha with a twist of cardamom.”
The man looked lost, but dutifully scanned his payment chip.
Ernest, a placating grin stuck to his face, chattered with waiting customers as he filled each order.
“So, have you gotten your space legs yet?” one of Ernest’s favorite regulars asked.
“Not quite yet, Rossi, but Zafira’s been helping me get up to speed on things.” He ducked awkwardly under a tangle of neon cables streaming out of a nearby espresso machine, “Everything’s just so different here, we didn’t have space-fish or asteroid safety drills or these things back home,” Ernest gestured at the kaleidoscope of cables.
“You just moved here from Earth, right?” Rossi asked, “They have software there that you must’ve seen.”
“I lived in the Great American Expanding Desert, so we didn’t see much investment,” said Ernest.
“And your family never thought of moving?”
“My dad always dreamt of moving to the stars, but he said life just kept popping up.”
Rossi reached over the counter and gave Ernest’s shoulder a squeeze.
Ernest pushed his shoulders back and reaffixed his smile, “But I’m here now, to see the stars for the both of us. And that means I need to figure out why all these machines look like they’ve got funky glowing hair.”
Rossi chuckled, “The cables are part of the software supply chain, which delivers software and a continuous stream of updates to all of the connected devices in the station, like your coffee machine there.” As he began to explain, Rossi found a philosophical air, “you see, software is a relationship between the developers, mostly off world, and us here on the moon. Every line of code can be updated and changed, which requires this continuous connection back to the source.”
Software Supply Chains in the real world
In our more mundane world, software supply chains sadly are no physical manifestations – neon or otherwise. But our society nevertheless depends on these often elusive software supply chains. Software, in a sense, is “eating the world.”
“Unlike physical systems, software is always a work in progress. It relies on continual revisions from patches and updates to address security flaws and vulnerabilities, and to make functional improvements. This ongoing maintenance leaves software supply chains long, messy, and in continuous flux, resulting in significant and underappreciated aggregated risk for organizations across the world.”
Read more from the Cyber Statecraft Initiative’s Breaking Trust Report.
Ernest, despite his best efforts, began to lose focus as the man deepened his explanation.
Noticing Ernest’s unfocusing eyes, Zafira cut in, “Basically, all we have to worry about is that these ‘cables’ make sure we get all the software updates we need. I think we actually got one this morning.”
“But why can I like, actually touch them?” Ernest asked as he started preparing another order.
Rossi began what certainly would have been an excellent and compelling explanation when Ernest let out a sharp squeal.
The nozzle that had been dutifully filling up a large mug just moments before began shooting out coffee like a firehose, arcing high through the air before soaking his clothes and his face in hot coffee. He jumped back and screamed – long enough that the coffee on his clothes fully cooled.
“Zafira help!” he said, wide eyes locked on his coworker, who was still leaning against the back counter staring in mingled shock and not-so-concealed laughter.
Zafira stepped toward her friend, ducking around the gushing steam of coffee, “What did you do now?” She laughed slightly but caught herself. “I’m sorry Ernest, are you okay? What happened?”
“It… It attacked me” he said, looking at the coffee machine still spewing out hot liquid, like it had just stuck a knife in his back. He pulled Zafira in for a quick hug.
“It didn’t attack you,” Zafira said, “they stopped putting AI into the coffee machines years ago. There hasn’t been an attempted appliance uprising in decades.”
Ernest looked marginally soothed. “Sure, sure. But still! What’s going on here?”
The customers rushed out the door, retreating away from the dark brown estuary that was beginning to form in front of the counter. Some decided the most helpful course of action was to take the time to inform the dripping baristas that they “were very disappointed in the service” and “would certainly post a strongly worded review on Constellationz” and wondered loudly “why hadn’t they just turned it off and back on again?” Rossi at least had the grace to look apologetic as he took off to escape the geyser.
Chapter 2
Zafira looked at the backs of the retreating customers and grumbled to herself, starting the machine’s manual restart procedure, grumbling at the lack of a simple off switch.
The coffee machine, an older model that integrated straight into the counter, quieted slowly. Ernest took a short breath of relief before the machine suddenly buzzed back to life and resumed its caffeine eruption.
Zafira started, and then smiled, feeling slightly vindicated that the snooty customer’s ‘suggestion’ hadn’t worked.
Ernest, catching another coffee burst to the stomach, did not feel at all vindicated. He let out a long and tired whine.
“So that didn’t work,” Zafira said, rather obviously, “maybe it’s the software then?”
Ernest cast an offended glance at the bundled software cables climbing out of the coffee machine and out into the food court.
“Alrighty then,” said Ernest, collecting himself. “Like my pops used to say, ‘If you want something done right, do it together.’ So let’s go find Deb – helping us manage all this is her job after all.”
The pair of baristas locked the currency exchange scanner and left the shop, leaving the nozzle still firing coffee.
Ernest gave Zafira an uncertain smile as they stepped into the airlift just to the right of the shop that served as the primary upward transportation between station levels, bracing themselves for the uncomfortable gust of air that propelled them to their chosen floor. Seconds later, they tumbled out onto the mezzanine level. Once they had righted themselves, Zafira led the wobbling Ernest down a dark hallway lined with abstract art pieces that appeared to represent overflowing gumball machines – that or exploding space ports.
To the left, a door with a plaque reading ‘Deborah Nachtnebel, Food Court Manager’ was left slightly ajar.
Knocking on the door frame, Ernest called out, “Hey, what’s up, hello!”
“Please, please come in.” Deb stood quickly as they entered, thoughtlessly knocking over her precariously placed ‘Dog Mom’ mug full of free sample pens.
“Hey there, Deb,” said Ernest, giving a genuine smile while bending down to help her retrieve the pens. “I heard Mabel isn’t feeling so well today—sorry to hear that.”
Deb’s monitor displayed a photo of an overweight beagle in a cowboy ensemble, partially hidden by the chaos of icons across the screen, Zafira stared at the image and managed to stifle a snicker.
“Poor Mabel has an upset stomach yet again and the end of the day can’t come soon enough,” Deb huffed.
“Well, we wish Mabel a speedy recovery,” said Ernest flattening the creases on his coffee-stained apron. “What we could really use your help with Ms. Nachtnebel, is our coffee machine. It’s malfunctioning and shooting coffee everywhere,” he gestured at his still dripping attire.
“Huh that’s weird,” sighed Deb absentmindedly, clicking open what appeared to be a live feed of Mabel knocking over a trash receptacle in her kitchen.”
“Did you try turning it off and back on?” asked Deb, watching Mabel pull what appeared to be discarded leftovers—spaghetti—from the depths of the trash.
“Yea, we did, thanks. But the only thing that did was give Ernest a second coffee shower, so we think it might be much more serious than that. Might be a software issue” said Zafira, pulling a clearly interested Ernest away from the live feed on Deb’s screen.
“Well,” Deb said, turning off the screen and packing up her bag. “Sounds like something you’ll have to tackle. I really need to head home. Mabel got into the trash again.”
“Please,” asked Ernest, “we really have no idea what’s going on. Isn’t there anyone here that could help us?”
“Ma’am” said Zafira, “don’t you have to actually do your job?”
Deb held the office door open for Zafira and Ernest. “Listen, the standards and bylaws of the HOSTL food court clearly state that management can only step in after an assessment finds the base infrastructure to be at fault. So, for the time being it sounds like a you problem. Go grab the incident reporting form from the Cloud, fill it out, and send it to me.”
Deb swished through the door, her half-open bag leaving a trail of dog treats in her wake.
“No way am I dealing with the Cloud on top of everything else today,” Zafira said as they padded back along the hall, “they are so rude.”
“How can an amorphous blob entity be rude?”
“I look forward to the day you find out. I’ll bring popcorn. Anyway, I hadn’t really expected Deb to do anything, if I’m being honest, but the utter lack of interest in her job isn’t a great motivator.”
“Well, if Deb won’t do anything about this, we’ll have to,” Ernest replied, wringing his apron absentmindedly, “I just hope no more customers are caught in the blast.”
“Let ‘em swim in it. Man, I hope Ms. “Two shots, double foam, sprig of thyme”- lady comes in to taste a little bit of the chaos,” Zafira said wistfully, “I deserve that.”
The two glided out of the lift, walking perhaps slower than was necessary past Comet’s Custards and World of Cheesecake.
“I think we should have some sort of plan,” Ernest mused to Zafira’s back as they inhaled the sickeningly sweet scents on their way back to Caffeine Crater.
The food court was absent its usual assortment of put-upon port workers inhaling sub-par sustenance. The quiet quotidian hum had been replaced by a frenzy of put-upon food court employees variously screaming in frustration at and sitting slumped in endlessly cascading liquid.
One particularly downtrodden Comet’s Custard employee stood hunched in front of the juicer, allowing the jet of pineapple-mango to spray across his chest and seep down his legs, while his coworker struggled to move each delicately decorated dessert out of the line of fire.
Zafira and Ernest weaved through the rivulets of coffee and tea winding their way out of every shop, until they reached One Small Step Fur Man, the local cat café. The café’s outer pavilion was immaculately clean, and Ernest noticed the usual menagerie of felines was conspicuously absent.
Chapter 3
“Halt, you,” came a voice, with far much too much self-importance for Zafira’s liking.
The two baristas paused, more out of confusion than compliance.
“Do you two have any information about what has transpired here?” the man inquired.
“Um, your cats are gone?” Ernest said, giving his best ‘talking to a confused customer smile.’
“You mean you don’t know who I am?” the man asked, his hand slicing through the air between them in greeting. Ernest took it, hesitating.
“The name’s Filliux. Neymar Filliux. Security Guard,” he stood proudly for a moment, clearly lost in his own self-presentation.
“How nice for you,” Zafira said, giving Ernest a quick sideways glance. “So, what did happen here?”
“The cats! They tore out the café’s entire assortment of software supply chains and left! Took off! Disappeared! Vanished into the night.”
Zafira and Ernest looked around the café, and, indeed, the polychromatic neon chains that usually snaked in and out of the store, connecting its various appliances had been nearly torn apart.
Ernest looked back at Neymar hopefully, “Back at Caffeine Crater our systems are all messed up, Zafira thinks it might be the software supply chains. I wonder if it’s the same thing?”
“Don’t worry little guy,” Neymar patted Ernest on the head, a little harder than was probably intended, “I’ve got this well under control.”
“Clearly,” Zafira said in a clipped monotone.
Ernest, noticing her skepticism, jumped in, “Actually, we just came from Ms. Nachtnebel, who said she couldn’t help, but we,” he looked hopefully at Zafira, “have put ourselves on the case, too!”
Neymar looked a bit taken aback at Ernest’s claim, “Well, I guess it couldn’t hurt to team up,” he looked between the pair of them and seemed to rally himself, “Onward team!”
“Yea!” Ernest chorused. “Although, actually, onward where?”
“Well,” Neymar started, clearly caught off guard by the question, “we’re following the cats’ lead of course.”
“The cats?” Ernest asked.
Neymar spoke with verve, picking up speed and confidence as he went. “Yes, absolutely, the cats took off right before everyone’s smart appliances went into hyperdrive, and it would seem the software supply chains just might hold the answer. The cats certainly seem to think so.”
Neymar paused, briefly, noting the unconvinced glance between Ernest and Zafira. “Listen, if you’re in my line of business for long enough, you learn to trust the cats.”
Turning, Neymar led the group through the mess of neon cables. Software chains that once hung from ceilings and clung to walls now fell limply, the victim of razor-sharp feline claws.
Neymar knelt next to the nearest bundle, examining each cable in turn, “That’s interesting, all of these cables were torn down but only this one was damaged.”
“I wonder if that one goes to Caffeine Crater,” Zafira wondered aloud, her eyes following the path of the chain as, sure enough, it wound its way next door into Caffeine Crater and connected to the coffee maker – which was currently spraying coffee scented sludge into the face of a seething but resolute potential customer. She laughed.
“I think this might be the supply chain for the timing software,” she continued, “the one that tells the coffee maker when to shut off and to…not hurt people.”
Ernest chimed in, “Well what if we– “
“–Cats!” Neymar shouted, starling Ernest and Zafira, as well as the furry creatures. They sprinted out of their hiding place, in the decorative island populated with fake trees and flowers – meant to distract food court customers from the fact that they were currently eating their cricket burger inside a giant bubble on the moon in the vacuum of space.
Neymar chased them into the nearby maze of tables and chairs. “Sorry babies,” he whispered as he approached a group that found shelter under the table of an uncleaned booth. He tugged a packet of cat treats out from his pocket, that he, apparently, never left the house without. Zafira rolled her eyes, but the tactic worked. The cats emerged from the booth and allowed Neymar to give them each a quick snuggle.
“Be right back,” he said and sprinted over to the security guard stand, rummaging through his bag and pulling out three differently patterned mobius strips of fabric. He went back to the corralled cats, crossing the fabric around his shoulder and chest. Approaching one of the larger animals, a supine orange tabby, he offered a treat and placed both cat and food into the sling.
“There,” he said, his back now even straighter, “a cat holster.”
Zafira did not look impressed, “and you just had these because?”
“Well,” Neymar responded, looking for the first time a little embarrassed, “I bought them for my cat. I wasn’t sure which color she’d like best.”
Ernest smiled and gestured to one of the empty holsters, “May I?”
Neymar nodded, and Ernest took one of the other slings and situated a white shorthair inside. He headed over to a nearby wall where undisturbed chains remained pinned. He held up the cat to them and to his great relief, the cat had no reaction. He then, with no small measure of fear, took the cat back towards a pile of destroyed software supply chains. Before Ernest could even get close, the cat began to squirm, getting increasingly agitated, almost vibrating as it stared at the cables with intense distrust.
“Neymar, I think you were right. These cats can somehow sense that something’s wrong or untrustworthy.”
Neymar beamed, clutching the cat to his chest, “I am vindicated. They all thought I was crazy but finally,” he stared into the middle distance, “finally everyone will know the truth, that I, Neymar Filliux – security genius – was right all along.” Neymar took a breath, collecting himself for what was clearly a lengthy, and well-rehearsed, victory speech.
Zafira cut him off, “Yes, yes good job you. We still haven’t actually fixed anything yet though.”
That earned her a quick sideways jab from Ernest, who rushed to reassure Neymar, “I am so happy for you Neymar, really. Look out world! Neymar and his cats are gonna do big things! C’mon Zafira, holster up your cat and let’s get moving!”
Zafira shuffled toward the black cat now sprawled across the blue and orange tiled table.
“What’s up?” She lifted her hand to wave at the cat before catching herself mid-gesture, “Alright. If you’ll be cool, I’ll be cool, deal? But if you bite me, I will bite you back.”
Ernest chuckled, but covered it with a cough when Zafira shot him a glare.
Zafira shook her head and exhaled strongly, “Do we have a deal?”
The black cat slowly rolled to her feet and into a languid stretch before walking toward Zafira. With Neymar’s help she situated the cat into the purple sling across her chest.
The team picked their way through the food court, following the damaged chain until it was lost in an indistinguishable neon tangle outside a dilapidated Gravity “R” Us.
Neymar surveyed their surroundings with an air of undeterred confidence, noticing a particularly frustrated lab technician buckling under the weight of a severely damaged cable ahead of them.
Neymar bounded over, his holstered cat bouncing against his chest, “Here son let me do the heavy lifting, I’ll have this done in no time,” he announced moving to grab one end of the cable.
As he stepped closer the lab tech yelped, “Woah, back up dude get that cat out of here! I appreciate the offer, but those things are the reason we’re in this mess. Exactly the reason the Lab never leaves our chains exposed.”
Neymar dropped the cable and whirled on the lab tech, “Stop right there sonny! I’ll have you know—”
“Wait! Sir, excuse me.” Ernest tried to interject as he moved between the two, but Neymar steamrolled right over him, avidly defending cats’ rights while giving his agitated cat a nuzzle.
“— that cats are the greatest friends a man could —“
“Neymar,” Zafira broke in, holding up her hand, “please, Ernest is trying to say something.”
“I’m sorry,” Ernest said stretching his hands out placatingly, “I didn’t mean to interrupt, but what did you mean when you said the Lab never leaves its supply chains exposed?”
“We put them in the walls, so that no one is able to find and mess with them,” the lab tech said with his eyes on the growling cat, “and so I don’t have to spend my whole day playing a high stakes game of jump rope. I guess some of our software supply chains are connected down to the food court for some reason. I didn’t even know we used some of the same software.”
The interconnectedness of software supply chains
Not many of us – I’d perhaps even go so far as to say none of us – has a full understanding of how and to whom we are connected by the software we use. Your vulnerability is not just yours, it is influenced and changed by the behavior of companies and other software users.
“The private sector’s aggregated risk from software supply chain compromises continues to grow. Ever more feature-rich software is finding its way into a widening array of consumer products and enterprise services, enlarging the potential attack surface.”
Read more from the Cyber Statecraft Initiative’s Breaking Trust Report.
He glanced over at Neymar and his cat, who both looked upset. “It’s not that I don’t love cats – I go to One Small Step Fur Man all the time – but they’ve gone wild!”
“So, these” Zafira gestured at the mess of supply chains, “aren’t the only chains in the port?”
“Of course not, the walls are full of software supply chains.”
Neymar, Zafira, and Ernest locked eyes.
“The walls!” Neymar exclaimed, moving along the damaged chain to where it entered the nearby wall with the other two on his heels.
The team stared dumbly at the wall and took an unrehearsed collective step back.
Chapter 4
“Now what?” Zafira asked, “We just break all the walls? Management will love that. Not that I’m against the idea, I’ve always wanted to use a sledge-bot.”
“No,” said Ernest, “I think we can use Neymar’s plan. We’ll follow along closely to the wall and use the cats to make sure we’re on the right track. Does that sound right, Neymar?” He smiled up at the man.
Neymar nodded back at Ernest, “Perfect. These cats are up to the job. I do feel bad purposefully making them upset though.” He took the fluffy orange cat’s face in his hands, “Don’t worry baby boy, Neymar’s not gonna let anything bad happen to you. And I’ll have plenty of treats for you as a reward.”
The cat blinked slowly in response.
“The cats have agreed!” Neymar said smiling.
The team wound their way through the hallways of the port, guided by the angry yowls of their three cats. They were slowed significantly by a detour made necessary when the Cloud, in whom the cats had no interest, decided it wanted to temporarily take up residence outside of the third-floor bathroom. They turned into a long corridor when suddenly the cats ceased their chirping and cuddled quietly into the holsters.
“What on the moon?” Zafira asked, as the three stopped in their tracks, “They’re not angry anymore?”
Neymar looked with concern at his cat, whispering something incomprehensible into its ear.
Ernest started walking again looking uncertain, “Well we were definitely headed this way, it only makes sense to keep going.”
They moved quietly down a nearly deserted hallway for several minutes before coming upon a door labelled AUTHORIZED PERSONNEL ONLY. Ernest hesitated and turned to Zafira, unsure what to do in the face of this unambiguous barrier. Neymar’s fist connected with the door, banging loudly and breaking the silence of the empty hallway. “Official business,” he barked, using his best commanding voice.
The three heard shuffling and grumbling through the walls before the door swung open to reveal a tired looking man and a rather pungent aroma.
The man blinked slowly, looking first at Zafira then up at Neymar, ignoring Ernest’s painfully chipper ‘Hello Strange New Friend’ smile entirely.
“Who are you?” he asked, looking confused.
“Security Guard,” Neymar answered, conveniently leaving out the ‘Food Court’ part. “We’re investigating malfunctions down at the food court that seem to be the result of compromised software supply chains.”
“How do you know what software we use?” the man snapped, regaining his composure, “that’s confidential.”
“Sir, my team is the best, there isn’t a secret on this base that we can’t sniff out. Now – are you in change here?”
“And also, where exactly is here?” Ernest asked.
“My name is Nomis Kazamakis. I’m manager here at Central HOSTL Robotics Lab,” Nomis appeared to notice the cats slung around his visitor’s waists for the first time and cast a worried look their way, “You said you were cleared to come in here?”
“Absolutely,” Zafira jumped in, “You mean you haven’t been told about our new division? Latest and greatest procedures in cybersecurity developed by this guy right here,” she slapped Neymar on the back, drawing attention away from Ernest’s reddening face.
“So,” Neymar said, “about these compromised supply chains?”
Nomis turned his back on them and started shuffling back to his chair, “Oh yea, those, the team’s been working on that all day. It was just our rivals from earth messing with our systems – we have a little prank war going to pass the time,” he said as an aside to Ernest. “They just messed with the timer on our microwaves and caused all our burritos to explode. Don’t worry, we fixed our systems.”
The three looked at him in shock, mingled with disgust as they noticed that the burrito he had started to dig into indeed looked as if it had been scraped off the floor.
“Don’t worry? You didn’t think to tell anyone?” Zafira nearly shouted, “We’ve been running around this cursed building for basically the whole day, angry cats tied to our bellies, only to find out that you’ve known about it this whole time?”
“Well, yea. I think my software guy said something about telling people but, I’ve been busy.” Nomis answered, his mouth still full.
“Hey, um, in the future, do you think you could maybe let the building know when something like this happens?” Ernest asked.
“That would be insecure,” Nomis replied. “Plus, it was just a microwave.”
“But,” Zafira said, “if you had just told everyone about this compromise from the beginning, we would have understood the problem and been able to respond. That same software was used by our coffee machine and dozens of other systems all across the port.”
Reporting incidents and collecting data
Public discussion and analysis of software supply chain breaches is invaluable. These attacks are a regular feature of cybersecurity but remain understudied as a tactic of malicious actors and a tool of cyber statecraft.
For example, the private cybersecurity company FireEye’s public acknowledgment in December of 2020 that they had been breached by an APT (advanced persistent threat), soon cascaded into massive and widespread software supply chain incident discovery. In the following days and weeks hundreds of entities including Microsoft, SolarWinds, and several US Government entities discovered and revealed breaches linked to a single software supply chain campaign of attack.
Our Breaking Trust dataset, updated in 2021, presents an open and freely downloadable dataset of 117 software supply chain attacks and 44 disclosures spanning from 2010 to 2021.
“They’re right,” Neymar said, “if it wasn’t for our cats, we never would’ve been able to figure this out.”
“We didn’t even know that we shared software supply chains with this lab since they’re all hidden away. I don’t think you should be doing that,” Ernest said softly, looking genuinely aggrieved.
“Well that, son, is because you don’t understand security,” Nomis huffed.
Neymar circled around to where Nomis remained fixed in his chair and clapped the man’s shoulder, “My team understands cybersecurity. Clearly better than you do if you won’t even listen to your own software people.” He begun subconsciously scratching the orange head peeking out of his holster.
“Well, then, if that’s the case then you clearly don’t need my help. Now get out of my lab.” Nomis shrugged away from Neymar’s grip and took off his shoes, glancing at the group dismissively as the acrid smell following the team out the room.
“So,” said Ernest, looking deflated for the first time since getting a firehose to the face that morning, “I don’t think Nomis is interested in helping us down at the food court.”
“Color me shocked,” replied Zafira.
Chapter 5
The team walked in contemplative silence through the winding hallways, making their way back to the food court.
“Maybe we could talk to the other food court employees and owners? Maybe he’d listen if we formed a coalition!” said Ernest.
“That’s a great idea Ernest,” said Neymar, not breaking his stride, “we’re going to need their help in assessing the food court’s security risk and focusing our detection efforts where it’s concentrated.”
Zafira glanced between Neymar and Ernest, whose step was bouncing with renewed excitement, “and what exactly does that mean?”
“The cats of course!” Neymar said, his confidence from the morning returning in full force as he spoke, “If we place a cat in each shop in the food court, we’ll be able to detect compromised software supply chains at critical junctures in time to stop things from getting totally out of hand again, just like how the cats cut the chains to One Small Step Fur Man before any of the shop’s appliances could go haywire.”
“Wow,” said Zafira, picking up her swaddled cat and staring it in the eyes, “you’re gonna be more useful than I am.”
The black cat gave a knowing chirp.
“Oh right, you always have been, of course,” she responded, then caught herself, “stars, Neymar, now you’ve got me talking like a mooned-out cat person.”
Neymar smiled in approval, stroking the purring cat in his own holster.
The team stepped through the frosted double doors and looked over a food court full of thoroughly demoralized employees and customers. Most of the affected machines had by now run out of ammunition, and the employees were finally able to start tackling the truly staggering mess they had produced. The cats had returned to their favored hiding spot in the artificial forest and only now were periodically peering through the leaves to hiss at nearby software supply chains.
Ernest sighed, “Well, back to the real work.”
Neymar strode over to a nearby table and climbed atop it, “May I have your attention everyone!”
The employees turned and trundled slowly over, dragging handcarts and mops in their wake, to form a curious semicircle around the security guard.
“We just got back from the central robotics lab. It turns out,” Neymar paused for dramatic effect, “that they were the target of the software supply chain compromise, and we were just collateral damage.”
The crowd began to grumble.
Zafira joined Neymar on the table, “I know, I know, we tried to work this out with their top guy, Nomis, but the dude is impossible.”
Neymar nodded, “That’s right folks. Long have I believed that cats would be the key to security, and at long last that belief has proven true.” He paused to lift the cat from its holster, “Through the course of the day we have proven that these cats can sense when and where software supply chains are compromised, and when they detect that compromise, they attack, as you have seen today.”
In the crowd, employees shuffling their feet or moving slowly away from the two speakers and the cat held out in front of them. Seeing that the crowd was not yet convinced, Ernest jumped in, crowding on top of the table and clutching his arms around the other two, “I know I haven’t been here long, and I still don’t quite understand everything that goes on up here, but it almost makes sense if you think about it. These cats, well, they don’t trust too easily. If you want to be their friend, you have to prove that you’ve earned that trust. I guess that’s how they interact with everything, software supply chains included. Neymar’s plan will involve us all sticking together and protecting each other so, are you with us?”
The dissenting employees turned, and a murmur of assent began to ripple across the group.
“So the plan is,” Neymar continued, standing straight upright, arms akimbo, in his best heroic pose, “that we will distribute cats to each and every shop down here in the food court, so that we are never caught off guard again. Never again will we place our trust in untrustworthy software.”
“Well, maybe not never,” Zafira mumbled, “but definitely a lot less.”
Ernest glanced around the room, at each face saturated with coffee and tea and juice and custard and the strife of a long, hard day, “We may not be able to stop every bad thing from happening but,” he smiled, “we’ll be ready to face anything together.”
The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.
Further reading
Sun, Jul 26, 2020
Software supply chain security: The dataset
Trackers and Data Visualizations By
Want to dive deeper into the Breaking Trust database? You have come to the right place.
Sun, Jul 26, 2020
Breaking trust: Shades of crisis across an insecure software supply chain
Issue briefs and reports By
Software supply chain security remains an under-appreciated domain of national security policymaking. Working to improve the security of software supporting private sector enterprise as well as sensitive Defense and Intelligence organizations requires more coherent policy response together industry and open source communities.
Mon, Mar 29, 2021
Broken trust: Lessons from Sunburst
Report By
The story of trust is an old one, but the Sunburst cyber-espionage campaign was a startling reminder of the United States’ collective cyber insecurity and the inadequacy of current US strategy to compete in a dynamic intelligence contest in cyberspace.