Society has a software problem. Our watches have file systems; combat aircraft come with software updates; and every organization from the Internal Revenue Service to an Etsy storefront relies on software to serve its users. No longer confined merely to computers, embedded software now controls the operation of complex power generators, medical hardware, and planetary scale datasets. A generation of Western defense systems relies on the benefits of Commercial Off-the-Shelf (COTS) procurement and the long chain of software that comes with it. COTS software underpins dozens of critical Department of Defense (DoD) programs, everything from high-bandwidth satellite data links to a growing dependence on open-source software (OSS) in machine learning applications, logistics networks, and maintenance systems. As one commentator put it, “software is eating the world.”
Despite all of its significance, software supply chain security remains an underappreciated domain of national security policymaking. While a physical system is rarely modified once it leaves the factory, software is continually updated, meaning that the supply chain for software is long and depends on users to trust their vendors and developers. This is a major source of national security risk in the threat posed to both public and private-sector organizations.
This report evaluates a dataset of 115 software supply chain attacks and vulnerability disclosures collected from public reporting over the past 10 years to show that software supply chain attacks are popular, impactful, and used to great effect by states. Software supply chain attacks provide huge value for attackers and remain popular. These attacks are impactful, giving attackers access to critical infrastructure like electrical power generation and nuclear enrichment systems. States like Russia, China, North Korea, and Iran attack the software supply chain as part of their offensive cybersecurity efforts. This dataset is open and freely available for download.
- Deep Impact from State Actors: There were at least 27 different state attacks against the software supply chain including from Russia, China, North Korea, and Iran as well as India, Egypt, the United States, and Vietnam.States have targeted software supply chains with great effect as the majority of cases surveyed here did, or could have, resulted in remote code execution. Examples: CCleaner, NotPetya, Kingslayer, SimDisk, and ShadowPad.
- Abusing Trust in Code Signing: These attacks undermine public key cryptography and certificates used to ensure the integrity of code. Overcoming these protections is a critical step to enabling everything from simple alterations of open-source code to complex nation-state espionage campaigns. Examples: ShadowHammer, Naid/McRAT, and BlackEnergy 3.
- Hijacking Software Updates: 27% of these attacks targeted software updates to insert malicious code against sometimes millions of targets. These attacks are generally carried out by extremely capable actors and poison updates from legitimate vendors. Examples: Flame, CCleaner 1 & 2, NotPetya, and Adobe pwdum7v71.
- Targeting App Stores: 22% of these attacks targeted app stores like the Google Play Store, Apple’s App Store, and other third-party app hubs to spread malware to mobile devices. Some attacks even targeted developer tools – meaning every app later built using that tool was potentially compromised. Examples: ExpensiveWall, BankBot, Gooligan, Sandworm’s Android attack, and XcodeGhost.
While high-profile attacks like NotPetya have forced policymakers to confront the importance of software supply chains, these efforts have been only episodic and failed to produce long-term security improvements relative to attacker’s growing capabilities and incentives. The impact of these attacks is global and demands action from the United States and allies across Europe and Asia. This report offers three clusters of recommendations to policymakers and industry to address the insecurity of the software supply chain.
First, improve the baseline. The lynchpin of any effort to improve the security of software supply chains broadly will be what impacts the largest number of codebases, not what improves one codebase the most. Perhaps the most useful thing the policy community can do is offering support for widely compatible standards and tools to reduce the burden of secure software supply chain management on developers.
Second, better protect open source. Open-source software is a critical part of most enterprise systems and networks. Even large proprietary projects, like the Windows operating system , are built on large open source dependencies. The security of open-source projects, and the apparent ease with which attackers can introduce insecure code, is a significant issue. The policy community must support efforts to secure open-source projects, or it will watch a critical and innovative ecosystem wither.
Third, counter systemic threats. Trust is the critical coin of the realm in software supply chains and the United States must work with allies to protect against deliberate efforts to undermine software supply chains. Efforts by states to impersonate software vendors undermines defender’s ability to patch flaws in code and improve the security of software through the entirety of its lifecycle.
Software supply chain attacks exploit natural seams between organizations and abuse relationships where users expect to find trustworthy code. These attacks are impactful; targeting the supply chain for code can help magnify the value of a breach. Software supply chain attacks can drive compromise deep into organization’s technology stack, undermining development and administrative tools, code-signing, and device firmware. These attacks have strategic utility for state actors and have been used to great effect, especially by Russian and Chinese groups.
Change is necessary to raise the cost, and lower the impact, of software supply chain attacks. New policy initiatives should work closely with developers and leverage existing security controls to improve baseline security practices. Policymakers should drive new resources to support open source project security. The US and her allies should pursue new joint activities to counter systemic threats to the software supply chain and facilitate more effective long-term operational collaboration; traditional alliance structures may be insufficient to address these threats. Improvement will require concentrated purpose and clarity of outcome at a time when both are in short supply. This report finds evidence that the past decade has seen software supply chain attacks become only more common and effective.
Without action, the next decade may be worse.