August 29, 2022 By Mike Elgan 3 min read

Major cyberattacks since 2019 jolted the U.S. government and software industry into action. The succeeding years have seen executive orders, new funding, two summits and a newfound resolve. Because of those attacks, the federal government aims to fix the open-source software security threat altogether. But what has really come of these efforts in the last few years?

The wake-up call

President Joe Biden issued two executive orders last year on cybersecurity,  one called Improving the Nation’s Cybersecurity and the other about supply chain security.

In the six months leading up to the executive order, the SolarWinds attack, a Microsoft Exchange Server attack and the Colonial Pipeline ransomware attack were all uncovered.

In December 2020, cybersecurity company FireEye (now Mandiant) revealed a massive and extremely sophisticated supply chain cyber attack launched by a nation-state via the SolarWinds Orion network management system (NMS). SolarWinds was the leading NMS in both business and government. FireEye’s disclosure was unique. They had not discovered the breach through detached research, but by being victimized by it. The subsequent list of victims was enormous.

Russian-government-backed APT 29 attackers (also known as Cozy Bear, UNC2452 and Nobelium) injected the SolarWinds’ software build environment with malware. This enabled attackers to gain access to the networks, systems and data of thousands of SolarWinds customers. Since then, it’s been described as the biggest attack in history. Tends of thousands of organizations use the software. To oversimplify how the attack worked, attackers breached SolarWinds’ networks in September of 2019. The next month, they injected malware called Sunburst into Orion, an IT performance monitoring system offered by SolarWinds. Then in March 2020, SolarWinds itself sent out Orion updates containing the malware.

Another attack, the Log4j vulnerability, also spurred action as a poster child for the threat of compromised supply chains and open-source vulnerabilities. Log4j is a popular Java library used for logging in applications. The attackers discovered a remote code execution vulnerability and other vulnerabilities. This lets them gain remote access to devices and applications for stealing data or deploying ransomware.

The summits

As a result, the National Security Council called a White House summit in January and a second in May. The initiative brought together more than 90 executives from 37 companies and government leaders in the Open Source Software Security Summit II on May 12. Participating companies included Atlassian, Cisco, Dell, Ericsson, GitHub, Google, IBM, Intel, Microsoft, SAP and others.

The purpose of the meeting, in brief, was threefold:

  • To reduce security vulnerabilities in open-source software
  • To boost the integration of security features in open-source software development tools
  • To speed up fixes.

In more detail, their goals included a comprehensive improvement of open-source security production and specific fixes.

Google Cloud committed during the meeting to the establishment of an Open Source Maintenance Crew. This team of engineers will collaborate with open-source coders to boost security. They also rolled out a new software supply chain dataset available to open-source developers.

At the May gathering, the Linux Foundation and Open Source Security Foundation unveiled a $150 million 10-point plan to improve open-source and supply chain security over the next two years. Other companies unveiled their own initiatives as well.

A long way yet to go

This massive industry effort is making progress, but we still have a long way to go. Some critics complain of inadequate time, money and staff.

By its very nature, the remedy advanced in the Open Source Software Security Summit II is multifaceted, complex, long-term and involves a huge number of players. After all, changing how people build open-source software takes time. Different organizations have different timelines, most of which are works in progress.

SolarWinds itself is revamping all its processes around security and is actively working with its customers to help them improve security.

A recent global survey of 1,000 chief information officers found that 82% say their organizations are still vulnerable to supply chain cyberattacks. However, a solid majority is implementing more security controls, updating review processes and expanding their use of code signing. More than 90% of supply chain-facing software applications use open-source components today.

Ongoing outcomes for an open-source world

In general, the U.S. government and businesses are making some progress. However, it’s too early to make a serious dent in open-source and supply chain vulnerabilities. As the government and the industry evolve to improve open-source security, the bad actors also evolve in response.

There’s room for hope, however. The recent high-profile cyberattacks, two Biden Administration executive orders and two security summits are truly lighting a fire under organizations public and private.

What’s needed now is renewed resolve, more funding and possibly more regulatory or industry action to respond to future attacks. Organizations also need to recognize what problems can leave them vulnerable. Acting fast could prevent the next SolarWinds attack.

More from Government

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today