Software supply chain insecurity

Society has a software problem. Our watches have file systems; combat aircraft come with software updates; and every organization from the Internal Revenue Service to an Etsy storefront relies on software to serve its users. No longer confined merely to computers, embedded software now controls the operation of complex power generators, medical hardware, and planetary scale datasets. A generation of Western defense systems relies on the benefits of Commercial Off-the-Shelf (COTS) technologies and the long chains of software that follow from high-bandwidth satellite data links to a growing dependence on open-source software (OSS) in machine learning applications and logistics networks. As one commentator put it, “software is eating the world.”

Despite all of its significance, software supply chain security remains an underappreciated domain of national security policymaking. While a physical system is rarely modified once it leaves the factory, software is continually updated, meaning that the supply chain for software is long and depends on users to trust their vendors and developers. This is a major source of national security risk in the threat posed to both public and private-sector organizations.

This project evaluates an open dataset of one hundred and thirty-eight software supply-chain attacks and vulnerability disclosures collected from public reporting over the past ten years to show that software supply chain attacks are popular, impactful, and used to great effect by states. These attacks are impactful, giving attackers access to critical infrastructure. States like Russia, China, North Korea, and Iran attack the software supply chain as part of their offensive cybersecurity efforts. Our most recent report profiles one of these efforts, the Sunburst campaign, and draws lessons for policymakers and cybersecurity practitioners. 

In-depth research


Mar 29, 2021

Broken trust: Lessons from Sunburst

By Trey Herr, Will Loomis, Emma Schroeder, Stewart Scott, Simon Handler, and Tianjiu Zuo

The story of trust is an old one, but the Sunburst cyber-espionage campaign was a startling reminder of the United States’ collective cyber insecurity and the inadequacy of current US strategy to compete in a dynamic intelligence contest in cyberspace.

Cybersecurity Intelligence
breaking trust_header

Issue briefs and reports

Jul 26, 2020

Breaking trust: Shades of crisis across an insecure software supply chain

By Dr. Trey Herr, William Loomis, Stewart Scott, June Lee

Software supply chain security remains an under-appreciated domain of national security policymaking. Working to improve the security of software supporting private sector enterprise as well as sensitive Defense and Intelligence organizations requires more coherent policy response together industry and open source communities.

Cybersecurity Defense Technologies

Short-form content

In the News

Jan 22, 2021

Loomis and Scott in Lawfare: A role for the vulnerabilities equities process in securing software supply chains

On Jan. 14, something unusual happened—the National Security Agency (NSA) publicly announced that it had discovered a critical vulnerability (CVE 2020-0601) deep within Windows 10 and reported it to Microsoft for patching. The disclosure was lauded because of the bug’s severity; buried in a cryptographic library, it would have allowed opportunistic attackers to decipher encrypted […]


Software supply chain attack and disclosure dataset

The Atlantic Council’s Cyber Statecraft Initiative, within the Scowcroft Center for Strategy and Security, works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.