The vast and heavily interconnected software supply chain is arguably the biggest cyber issue faced by organizations in the world today.
Threat actors now recognize that attacking software developers and suppliers can grant them access to the hundreds and sometimes thousands of organizations that use a particular software. To do so, they seek to exploit security weaknesses that enable them to change source codes and insert malware in build and update processes in the software.
The SolarWinds incident, uncovered at the end of 2020, is a famous example of the potentially wide-ranging impact of such an attack. After successfully adding malicious code to the SolarWinds Orion update, the attackers were able to access the systems of nearly 18,000 customers who received the compromised software update, including US federal government agencies.
A major component of the supply chain risk is the growing use of open source software, which offers tempting opportunities for malicious actors. Common techniques used by attackers include uploading malicious packages on open-source repositories, which can then be picked up and used by individuals and organizations.
With a reliance on volunteers and committed contributors to manage vulnerabilities in the open source ecosystem, there are often disparities in the extent to which codes are maintained, if at all.
The exposure of the Log4j vulnerability in 2021, which many security experts view as the worst vulnerability of all time, emphasized the huge risks posed by the open source software ecosystem. An estimated 58% of organizations use the Log4j logging code, meaning that if left unfixed, all are at high risk of malicious activities. Leveraging the vulnerability, attackers have been able to break into systems, steal passwords and logins, extract data and infect networks with malicious software.
Michael Skelton, senior director of security operations at Bugcrowd, recently told Infosecurity that in the first 48 hours of the vulnerability being identified, his team experienced over 1000 critical findings linked to Log4j. They continue to experience Log4j submissions to this day, over a year later.
Yet despite the risks, open source software offers huge societal and economic benefits that should not be underestimated. As software that is distributed with its source code, it is made available for use, modification and distribution with its original rights for zero cost. This provides obvious financial benefits but also helps facilitate innovation and greater efficiency for organizations.
Proponents of open source also highlight its democratic value, as it provides far more transparency and community engagement compared to closed source software that is controlled by a single entity.
While it is clear that the current status quo, in which the open source software community alone maintain codes, is not sustainable given the extent of their use, it is crucial that such benefits are not lost.
Government Interventions in Supply Chain Security
This is an issue that governments are starting to wrestle with. The US federal government has launched numerous policies aimed at enhancing supply chain security in the past few years. This includes President Joe Biden’s executive order in 2021, which requires federal government software suppliers to meet strict rules on cybersecurity or risk being blacklisted.
This includes promoting the use of Software Bill of Materials (SBOM), a list of ingredients that make up software components. In addition to being advised across all sectors, SBOMs are set to become a requirement for defense contractors.
During the recent State of Open Con 23 conference, held in London, UK, Infosecurity spoke to two prominent members of the White House’s Office of the National Cyber Director (ONCD) team: Camille Stewart Gloster, ONCD’s deputy national cyber director and Anjana Rajan, the assistant director for technology security, who provided further details on the US federal government’s approach in this area.
Both agreed that their passion for shaping cybersecurity policy, including in open source, comes from their previous industry experiences prior to joining the White House. Working as global head, product security strategy at Google in December 2021 as Log4j struck, Stewart Gloster recalled that period being “probably my worst holiday season.” It was these kinds of real-world experiences that she is now bringing into the world of policy, at the heart of the US government, since taking her current post in August 2022.
“Our first order of business is to understand the challenges and opportunities and what our role in that is"
Stewart Gloster explained that she is now striving “build a team that can reflect the different types of expertise that were needed.”
This desire for a diverse range of skillsets at the ONCD led to the appointment of Rajan, a trained cryptographer, as assistant director for technology security in November 2022. Among other prominent technical roles, Rajan was previously chief technology officer of anti-human trafficking non-profit organization Polaris. Here, she observed the potential for governments exploit open source vulnerabilities to spy on citizens, including one particular state targeting ethnic minorities. This demonstrated to her how open source vulnerabilities “affect everyday people – it’s not just for cyber professionals.”
Working in the federal government, Rajan can take a more holistic view of the problem, and has the opportunity to bring about real change. “Now, coming to the White House and thinking about policies that can scale security and planning ahead is very exciting,” she commented.
Developing Federal Policies
Both Stewart Gloster and Rajan emphasized that the federal government is not rushing to make interventions in the open source space, and is carefully analyzing the issues and understanding where intervention is necessary. “Our first order of business is to understand the challenges and opportunities and what our role in that is,” explained Stewart Gloster.
The next stage is to collaborate with international partners and the global open software community to ensure that policies are enacted in a coordinated and collaborative way. This is why the ONCD is keen to attend events such as Open Con, engaging with the open source community to get feedback on the work they are doing.
Rajan highlighted the unique nature of the “highly sophisticated” open source community. “These are communities, they aren’t companies or institutions,” she pointed out. This means that it is highly globalized in nature, with software being built accessed and used from anywhere in the world.
“This means that as you think about policy, you have to start with an international strategy from day one,” said Rajan.
She added that addressing open source software challenges is far from just a technical problem, with issues around market incentives and establishing responsibilities also part of the solution.
One key area of focus at the moment for the ONCD is promoting memory safe languages in writing software code. During her keynote address at the conference, Rajan explained that the use of common, memory unsafe languages in developing open source code, such as C and C++, “means you can read data that you shouldn’t see, write data you shouldn’t change and access or delete data that shouldn’t be available.”
She added: “When you think about this at scale, that’s a pretty catastrophic situation from a cybersecurity perspective.”
However, Rajan noted that technical solutions already exist, as there are “lots of memory safe languages all across the tech stack that we can and should be using instead.”
She highlighted research showing that when software written in memory unsafe languages is migrated to a memory safe language, the number of software vulnerabilities can be reduced by up to 70%.
Therefore, the federal government is advocating for open source software developers to make the switch to memory safe languages. This requires a multi-pronged strategy, encompassing both short term wins and long-term sustainability. These include:
- Auditing and upgrading “technical debt” the global IT ecosystem through initiatives like post-quantum cryptography and implementing memory safety
- Funding and encouraging research that eases the transition to memory safe programming languages
- Investing in critical non-profits that operate and contribute to the open source ecosystem
- Ensuring programming languages for smart languages are memory safe
- Educating the workforce in using memory safe programming languages by ensuring this is taught in schools and colleges
Rajan commented: “While there is no silver bullet for securing the software ecosystem, this is certainly a significant step in driving its resiliency.”
A Unique Approach to Open Source
One of the fears about government intervention and regulations in open source software is that these policies could stifle innovation and the other benefits it offers. However, Stewart Gloster was quick to emphasize that the US government “recognizes the uniqueness of the community structure and ecosystem that underpins open source.”
Therefore, any policy in this area must be tailored, “and no parts of that do we intend to be limiting or just pull from other applications and rubber stamp it over here.”
There is also no need for the government to take a lead on all these areas, and in many cases it will look to “support the momentum that is driving open source to be more secure and resilient.”
Rajan concurred, highlighting the importance of carefully tailoring policy solutions and then evolving them as the years go by.
She also urged for software, including open source, to be viewed as critical infrastructure in the same way crucial physical services are, like roads and bridges. This means it will require an all-of-society responsibility to continuously maintain and protect this ecosystem.
“We want people to start thinking about this as infrastructure that you benefit from – you can’t run a company properly, or practice democracy and national security without open source,” Rajan noted.
The White House believes that such a paradigm shift in thinking will lead to the open source community, industry and governments together developing solutions that ultimately facilitate a safer open source ecosystem.