Software supply chain insecurity

Society has a software problem. Our watches have file systems; combat aircraft come with software updates; and every organization from the Internal Revenue Service to an Etsy storefront relies on software to serve its users. No longer confined merely to computers, embedded software now controls the operation of complex power generators, medical hardware, and planetary scale datasets. A generation of Western defense systems relies on the benefits of Commercial Off-the-Shelf (COTS) technologies and the long chains of software that follow from high-bandwidth satellite data links to a growing dependence on open-source software (OSS) in machine learning applications and logistics networks. As one commentator put it, “software is eating the world.”

Despite all of its significance, software supply chain security remains an underappreciated domain of national security policymaking. While a physical system is rarely modified once it leaves the factory, software is continually updated, meaning that the supply chain for software is long and depends on users to trust their vendors and developers. This is a major source of national security risk in the threat posed to both public and private-sector organizations.

This project evaluates an open dataset of one hundred and sixty-one software supply-chain attacks and vulnerability disclosures collected from public reporting over the past ten years to show that software supply chain attacks are popular, impactful, and used to great effect by states. These attacks are impactful, giving attackers access to critical infrastructure. States like Russia, China, North Korea, and Iran attack the software supply chain as part of their offensive cybersecurity efforts. Our most recent report profiles one of these efforts, the Sunburst campaign, and draws lessons for policymakers and cybersecurity practitioners. 

Policymaking for software supply chains

In-depth research

Report

Mar 29, 2021

Broken trust: Lessons from Sunburst

By Trey Herr, Will Loomis, Emma Schroeder, Stewart Scott, Simon Handler, and Tianjiu Zuo

The story of trust is an old one, but the Sunburst cyber-espionage campaign was a startling reminder of the United States’ collective cyber insecurity and the inadequacy of current US strategy to compete in a dynamic intelligence contest in cyberspace.

Cybersecurity Intelligence

Issue briefs and reports

Jul 26, 2020

Breaking trust: Shades of crisis across an insecure software supply chain

By Dr. Trey Herr, William Loomis, Stewart Scott, June Lee

Software supply chain security remains an under-appreciated domain of national security policymaking. Working to improve the security of software supporting private sector enterprise as well as sensitive Defense and Intelligence organizations requires more coherent policy response together industry and open source communities.

Cybersecurity Defense Technologies

Short-form content

Testimony

May 25, 2021

Herr testifies to the Investigations and Oversight and Research and Technology subcommittees on improving the cybersecurity of software supply chains

On May 25, 2021, Trey Herr, Director of the Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security, testified to the House Science, Space, and Technology subcommittees on Investigations and Oversight and Research and Technology on improving the cybersecurity of software supply chains following SolarWinds.

Cybersecurity

In the News

Apr 20, 2021

Forscey in Lawfare: the cyber regulators are coming for the cloud

Today’s cloud computing industry is as important as it is complicated, a critical and opaque sector that undergirds the economy but that few people truly understand. Cloud services have become a pillar of digital society, supporting nonstop innovation. They also create interdependencies that generate a wellspring of concentrated risk. Ensuring that the various subsectors of […]

Cybersecurity

Testimony

Feb 8, 2022

Herr testifies to Homeland Security and Governmental Affairs committee on responding to and learning from the Log4shell vulnerability

On February 8, 2022, Trey Herr, Director of the Cyber Statecraft Initiative within the Scowcroft Center for Strategy and Security, testified to the Senate Homeland Security and Governmental Affairs committee on responding to and learning from the Log4shell vulnerability.

Cybersecurity

In the News

Apr 19, 2021

John in Dark Reading: SolarWinds a catalyst for change and a cry for collaboration

The Sunburst campaign, which includes the SolarWinds incident, is not unique in its type or frequency. Supply-chain attacks have been happening more often over the past seven or so years. As adversaries continue to rapidly identify vulnerabilities, coupled with the world’s increased reliance on digital connectivity, we face mounting challenges in preventing, detecting, and responding […]

Cybersecurity

In the News

Apr 26, 2021

Sherman and Herr in Council on Foreign Relations: the US should make “leverage” the foundation of its cyber strategy

The SolarWinds incident spurred a flurry of debates about whether the U.S. Department of Defense’s 2018 “defend forward” strategy should, or could, have prevented the calamity. Putting aside that the Russian operation was cyber espionage—stealing data rather than denying, disrupting, degrading, or destroying systems—some of these arguments reflected an idea that the United States should […]

Cybersecurity

In the News

Jun 1, 2021

Nather in CSO: defining linchpins an industry perspective on remediating Sunburst

The Sunburst campaign underscored the inherent risk of technology to the public and private organizations who use it. It is important to examine what happened, look for opportunities to improve, and move forward. The Atlantic Council’s latest report “Broken Trust: Lessons from Sunburst” introduces the concept of “linchpins,” which it defines as “widely used software with significant permissions … on […]

Cybersecurity

In the News

Feb 8, 2022

Loomis in Lawfare: Defending fire a need for policy to protect the security of open source

Open-source software has served as an important catalyst for much of modern digital technology, scaling small innovations into widely used features in weeks instead of years. Yet the past few years have shown that open source is at risk. One of the most consequential cybersecurity incidents in recent memory, Log4j, exploited a vulnerability in a […]

Cybersecurity

In the News

May 24, 2021

Herr in Foreign Policy: Russia’s hacking success shows how vulnerable the cloud is

Russia’s Sunburst cyberespionage campaign, discovered late last year, impacted more than 100 large companies and U.S. federal agencies, including the Treasury, Energy, Justice, and Homeland Security departments. A crucial part of the Russians’ success was their ability to move through these organizations by compromising cloud and local network identity systems to then access cloud accounts and pilfer emails […]

Cybersecurity

In the News

May 13, 2021

Herr in Lawfare: everything you need to know about the new executive order on cybersecurity

Yesterday evening, the Biden administration released its much-anticipated “Executive Order on Improving the Nation’s Cybersecurity.”  It is tempting to yawn; every administration in recent memory has done something of this kind, after all, and not always to significant effect.  But this executive order deserves your attention. It contains concrete measures tailored to respond to lessons […]

Cybersecurity

In the News

May 18, 2021

Handler, Schroeder, and Herr in War on the Rocks: cyber security as counter terrorism seeking a better debate

Earlier this month, a senior Justice Department official referred to ransomware as a potential “cyber weapon of mass destruction.” When hackers subsequently disabled the Colonial Pipeline, causing fuel shortages and disruptions along the East Coast, it seemed to validate this warning. But it would be a mistake for the policy establishment to double down on an outdated […]

Cybersecurity

In the News

Jan 22, 2021

Loomis and Scott in Lawfare: A role for the vulnerabilities equities process in securing software supply chains

On Jan. 14, something unusual happened—the National Security Agency (NSA) publicly announced that it had discovered a critical vulnerability (CVE 2020-0601) deep within Windows 10 and reported it to Microsoft for patching. The disclosure was lauded because of the bug’s severity; buried in a cryptographic library, it would have allowed opportunistic attackers to decipher encrypted […]

Cybersecurity

Software supply chain attack and disclosure dataset

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.