On Jan. 14, something unusual happened—the National Security Agency (NSA) publicly announced that it had discovered a critical vulnerability (CVE 2020-0601) deep within Windows 10 and reported it to Microsoft for patching. The disclosure was lauded because of the bug’s severity; buried in a cryptographic library, it would have allowed opportunistic attackers to decipher encrypted web traffic and disguise malware as legitimate code from Microsoft or other vendors. The Atlantic Council’s new project on software supply chain security, Breaking Trust, which we co-authored, shows that this kind of vulnerability results in some of the most consequential and sophisticated software supply chain attacks, often perpetrated by state-backed actors.
Government disclosures to industry like this are an important tool to preserve trust in the software ecosystem among users and vendors and to protect against supply chain attacks. The software supply chain presents a significant source of risk for organizations, from critical infrastructure companies to government security agencies—but the state of security in this supply chain doesn’t match up to the dangers it presents. The Biden administration has an important opportunity to rebuild and sustain trust in the software ecosystem by reforming the government vulnerability disclosure process into a more transparent and frequently used system.