Major cyberattacks since 2019 jolted the U.S. government and software industry into action. The succeeding years have seen executive orders, new funding, two summits and a newfound resolve. Because of those attacks, the federal government aims to fix the open-source software security threat altogether. But what has really come of these efforts in the last few years?

The Wake-Up Call

President Joe Biden issued two executive orders last year on cybersecurity,  one called Improving the Nation’s Cybersecurity and the other about supply chain security.

In the six months leading up to the executive order, the SolarWinds attack, a Microsoft Exchange Server attack and the Colonial Pipeline ransomware attack were all uncovered.

In December 2020, cybersecurity company FireEye (now Mandiant) revealed a massive and extremely sophisticated supply chain cyber attack launched by a nation-state via the SolarWinds Orion network management system (NMS). SolarWinds was the leading NMS in both business and government. FireEye’s disclosure was unique. They had not discovered the breach through detached research, but by being victimized by it. The subsequent list of victims was enormous.

Russian-government-backed APT 29 attackers (also known as Cozy Bear, UNC2452 and Nobelium) injected the SolarWinds’ software build environment with malware. This enabled attackers to gain access to the networks, systems and data of thousands of SolarWinds customers. Since then, it’s been described as the biggest attack in history. Tends of thousands of organizations use the software. To oversimplify how the attack worked, attackers breached SolarWinds’ networks in September of 2019. The next month, they injected malware called Sunburst into Orion, an IT performance monitoring system offered by SolarWinds. Then in March 2020, SolarWinds itself sent out Orion updates containing the malware.

Another attack, the Log4j vulnerability, also spurred action as a poster child for the threat of compromised supply chains and open-source vulnerabilities. Log4j is a popular Java library used for logging in applications. The attackers discovered a remote code execution vulnerability and other vulnerabilities. This lets them gain remote access to devices and applications for stealing data or deploying ransomware.

The Summits

As a result, the National Security Council called a White House summit in January and a second in May. The initiative brought together more than 90 executives from 37 companies and government leaders in the Open Source Software Security Summit II on May 12. Participating companies included Atlassian, Cisco, Dell, Ericsson, GitHub, Google, IBM, Intel, Microsoft, SAP and others.

The purpose of the meeting, in brief, was threefold:

  • To reduce security vulnerabilities in open-source software
  • To boost the integration of security features in open-source software development tools
  • To speed up fixes.

In more detail, their goals included a comprehensive improvement of open-source security production and specific fixes.

Google Cloud committed during the meeting to the establishment of an Open Source Maintenance Crew. This team of engineers will collaborate with open-source coders to boost security. They also rolled out a new software supply chain dataset available to open-source developers.

At the May gathering, the Linux Foundation and Open Source Security Foundation unveiled a $150 million 10-point plan to improve open-source and supply chain security over the next two years. Other companies unveiled their own initiatives as well.

A Long Way Yet to Go

This massive industry effort is making progress, but we still have a long way to go. Some critics complain of inadequate time, money and staff.

By its very nature, the remedy advanced in the Open Source Software Security Summit II is multifaceted, complex, long-term and involves a huge number of players. After all, changing how people build open-source software takes time. Different organizations have different timelines, most of which are works in progress.

SolarWinds itself is revamping all its processes around security and is actively working with its customers to help them improve security.

A recent global survey of 1,000 chief information officers found that 82% say their organizations are still vulnerable to supply chain cyberattacks. However, a solid majority is implementing more security controls, updating review processes and expanding their use of code signing. More than 90% of supply chain-facing software applications use open-source components today.

Ongoing Outcomes for an Open-Source World

In general, the U.S. government and businesses are making some progress. However, it’s too early to make a serious dent in open-source and supply chain vulnerabilities. As the government and the industry evolve to improve open-source security, the bad actors also evolve in response.

There’s room for hope, however. The recent high-profile cyberattacks, two Biden Administration executive orders and two security summits are truly lighting a fire under organizations public and private.

What’s needed now is renewed resolve, more funding and possibly more regulatory or industry action to respond to future attacks. Organizations also need to recognize what problems can leave them vulnerable. Acting fast could prevent the next SolarWinds attack.

More from Government

The Biden Administration’s 2023 Cybersecurity Strategy

4 min read - The Biden Administration recently introduced a new national cybersecurity strategy, expected to aggressively address an increasingly complex and dangerous threat landscape. Improving cybersecurity may not be the top priority for the Biden Administration, but it is an issue that the White House has been focused on since the earliest days of President Biden’s tenure. For example, in May 2021, Biden issued an executive order that emphasized sharing information about threats and modernizing cybersecurity across the federal government. In 2022, President…

4 min read

What’s Going Into NIST’s New Digital Identity Guidelines?

4 min read - One of this year’s biggest positive cybersecurity events comes from the National Institute of Standards and Technology (NIST). For the first time since 2017, NIST is updating its digital identity guidelines. These new guidelines will help set the course for best practices in handling digital identity for organizations across all sectors. What is Digital Identity? To grasp the update’s importance, it helps to understand the role of digital identity in an organization’s security posture. In its 2017 guidelines, NIST defines…

4 min read

Who Will Be the Next National Cyber Director?

4 min read - After Congress approved his nomination in 2021, Chris Inglis served as the first-ever National Cyber Director for the White House. Now, he plans to retire. So who’s next? As of this writing in January of 2023, there remains uncertainty around who will fill the role. However, the frontrunner is Kemba Walden, Acting Director of the National Cyber Director’s office. Walden is a former Microsoft executive who joined the National Cyber Director’s office in May. Before her appointment, Walden was the…

4 min read

How Much is the U.S. Investing in Cyber (And is it Enough)?

3 min read - It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes. To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going…

3 min read