We know all the ingredients in the food we buy. That information is readily available on the label of every product, along with calories, carbs, sugar, and other things we may (or may not) want to know. We need information on what goes into the food we eat for various reasons, from personal taste, health, and safety issues relating to food allergies. We would find it odd if the food on the shelves didn’t list what was inside, and it would raise suspicion.
Yet, when it comes to the software products companies and governments use every day to manage the mundane to the complex, we never seem to question the components that were used to build the systems and networks operating technology or equipment as sensitive and vital as hospitals, nuclear power plants, and other elements of our critical infrastructure.
I guarantee the cybersecurity buzzword salad for this year’s RSA Conference will include the phrase “supply chain security.” You won’t be able to walk the Expo floor without hitting a booth touting the need for supply chain security.
The Cyber Readiness Institute (CRI) is a non-profit organization that provides free training and tools to enable small and medium-sized businesses (SMBs) to bolster their cybersecurity hygiene. We know supply chain cybersecurity is critical. Our members—Microsoft, Mastercard, General Motors, Apple, Principal Financial, ExxonMobil, and The Center for Global Enterprise—have told us supply chain security and resilience are a priority. Large, multinational companies have the resources and motivation to build network fortresses. Still, they recognize their weak link is the suppliers and vendors they work with who unknowingly could provide a “backdoor” to their organizations to be exploited.
While our members and other non-profit organizations are working to improve the cyber readiness of individual SMBs in the global supply chain by bringing attention to the role human behavior plays in many cyber incidents, we also must look at the supply chain security of the software products that SMBs (and all organizations) rely on daily. As we have seen from several high-profile cybersecurity attacks, including the SolarWinds hack, we do not have a clear understanding of the software underpinnings for our systems and networks. Like any other product (physical or virtual), software is built from hundreds—sometimes thousands—of components. Many components are taken and trusted from unknown authors and unknown origins in today’s open-source world.
It is time we discuss and address the need for a comprehensive software bill of materials (SBOM) for every product that we, as businesses, use and sell. SBOM will provide the list of ingredients to help better identify software vulnerabilities and patch them more easily as they emerge. We know SBOM is on the radar of our nation’s cybersecurity leaders, from the National Telecommunications and Information Administration (NTIA) to the National Institute of Standards and Technology (NIST) to the White House.
At CRI, we stress the need for SMBs to focus on employee awareness and deploy four core cybersecurity policies—strong passwords, software updates, phishing awareness, and proper USB use. Software updates are a frontline defense against cyberattacks, and we must have confidence that they are safe and secure.
Today, we are often operating under the assumption of software cybersecurity. It is not a great place to be. Our nation’s SMBs are the backbone of our economy and rely on the integrity of the software systems they deploy, and so does every link in every supply chain of every industry.
We need answers to many questions related to our software systems. We need to know which components (ingredients) could put us at risk and that if we get attacked, can we quickly and easily investigate the software components to find the vulnerability that must be fixed? Can I trust the software updates I am automatically deploying?
It is time that we know what’s in the software we rely on every day. The health of our supply chain depends on that basic ingredient.