In the wake of recent ransomware attacks on major companies like Micro-Star International (MSI) and 3CX, supply chain security is a top concern for businesses of all sizes.
At CRESTCon Europe, security experts discussed the latest threats and best practices for protecting supply chains.
During his keynote speech on May 18, Jon Geater, co-chair of the Internet Engineering Task Force’s (IETF) Supply Chain Integrity, Transparency and Trust (SCITT) working group, reminded the audience that software supply chain attacks soared 742% between 2019 and 2022.
Clearly, the threat level is more significant than ever and cybersecurity industry members are actively working together to secure their supply chain block by block. Geater, who is also co-founder of RKVST, outlined some of these initiatives when speaking to Infosecurity.
IM: With supply chain attacks increasingly making headlines, what can the industry do to mitigate the impact?
JG: Interestingly, we still haven't quite landed on a single definition of what supply chain attack means. There are at least a couple of different types of supply chain attacks:
- The ones where an attack on one of your suppliers or partners can affect your business
- The attacks that target the supply chain infrastructure itself, with techniques like man-in-the-middle (MITM) attacks.
These two things require quite different approaches to solve them. However, there are things the industry can do that could help secure the supply chain and prevent both types.
So far, we've focused an awful lot on the ‘confidentiality’ side of the ‘confidentiality, integrity and availability’ (CIA) triad. We haven't done such a great job of the ‘integrity’ part, ensuring the data we process and use is trustworthy and free from tampering.
Read more: White House Shifts US Cybersecurity Strategy Towards International Cooperation
There are currently several initiatives to improve this side of security, including mandating software bills of materials (SBOMs), pushing for digital certificate transparency or advocating for new standards such as IETF’s Supply Chain Integrity, Transparency, and Trust (SCITT), with which I’m involved.
IM: Do you think SBOMs can really improve supply chain security?
JG: I think so. The issue we have now is that the enforcement schedule in the US was pushed back, which could delay its adoption.
We had Biden’s Executive Order 14028 in May 2021, which introduced the idea of mandating SBOMs. Then two US agencies, the National Institute of Standards and Technology (NIST) and the National Telecommunications and Information Administration (NTIA) put together a framework for mandating what they called “minimum elements of an SBOM.”
CISA, the US cybersecurity agency, then started running consultation groups to get ready for the implementation roll-out. At this stage, we were getting quite detailed and practical about how this will go and how to use it.
And then the US Office of Management and Budget (OMB), which was in charge of setting the final requirements and the enforcement regime, crawled back following some criticisms and said SBOMs would not be mandated but only what they called a letter of attestation.
Now NIST is out there, again, doing another consultation on what the contents of this attestation should be. Essentially, it’s likely to be just a document where organizations promise that their software is updated and the vulnerabilities patched.
It’s a shame, really, but thankfully, the actors behind SBOMs haven’t slowed down, with some working on the CycloneDX and others on the SPDX standards.
But since it has been slowed down by the government, maybe we’ll jump over it and go straight to standardizing the entire supply chain lifecycle with SCITT.
IM: What is SCITT about?
JG: SCITT is a standardization initiative initially pushed by Arm and Microsoft in June 2022.
To understand what SCITT is, let’s start with an SBOM. With an SBOM, you’re given a lump of data telling you what software you’re using and their dependencies, but you don’t necessarily know it’s true – although you can audit these things.
Also, a bill of materials is not the only thing you need to improve supply chain security. For example, you need to know who published the software, how it was handled, whether the people running it were qualified, and whether the software has been modified.
SCITT allows you to take any artifact, whether it’s the software itself, a letter of attestation, an SBOM, or even a vulnerability exploitability exchange (VEX) and say who did what, when, for the entire lifecycle, from design all the way through delivery, and then through end of life and withdrawal.
"I'd flip the software supply chain automation switch first and then and then start looking into AI."
At IETF, we have been running the SCITT initiative for seven months now and have become the fastest chartering group in IETF history – which means that people have come on board at an impressive pace to develop this.
We’ve also made good implementation progress: you can now drag and drop any file on our platform and you get back a receipt to demonstrate you own it, with a timestamp and all the cryptographic integrity information necessary so it can’t be tampered with.
IM: You also mentioned an industry push for digital certificate transparency. What is it?
JG: The Certificate Transparency (CT) initiative is another standardization project that was started by Google in 2013 and that seeks to answer more detailed questions on the security of digital signatures in general.
CT members are focusing on what they call ‘web public key infrastructure (PKI),’ which encompasses SSL certificates and browser padlocks, for instance. They’re working on a framework to ensure the integrity of digital certificates.
We’ve seen so many hacks where certificates were corrupted because the cryptographic key was poorly made, not to mention the issues in traditional PKI with revoking certificates – which means that once you've revoked a certificate, it's really hard to know whether you can trust anything.
The CT initiative tries to develop an architecture that would provide trustworthy answers about any certificate.
It's got good buy-in from the big players, including Google, Facebook, DigiCert, Cloudflare and a few encryption key providers, which is excellent news.
IM: Infosecurity recently reported on OX Security integrating ChatGPT to enhance its software supply chain security solution. Do you think AI will be helpful in securing the supply chain?
JG: It can be helpful, of course. I use generative AI in my business, for example. We have a ChatGPT-derived agent that monitors our technical debt stack and reminds us to fix things quickly – why waste time on finding the issues when we can actually fix them and deliver a better product to our customers?
Read more: ChatGPT Leveraged to Enhance Software Supply Chain Security
However, I’m wary of two things regarding AI. First is that there's a kind of snake-eats-tail loop here: there is a digital supply chain into that chat agent, and knowing how it's trained and making sure it's actually got a good basis of data in the first place is fundamental. Hopefully, the developers or generative AI tools will look after that themselves.
The other thing that worries me a bit and would make me roll it out slowly is that ChatGPT and other AI chatbots are incredibly confident and will give you wrong answers in a compelling way. So, I'm not sure I'd actually flip that automation switch yet. Instead, I'd flip the software supply chain automation switch first and then and then start looking into AI.