Major cyberattacks since 2019 jolted the U.S. government and software industry into action. The succeeding years have seen executive orders, new funding, two summits and a newfound resolve. Because of those attacks, the federal government aims to fix the open-source software security threat altogether. But what has really come of these efforts in the last few years?
The wake-up call
President Joe Biden issued two executive orders last year on cybersecurity, one called Improving the Nation’s Cybersecurity and the other about supply chain security.
In the six months leading up to the executive order, the SolarWinds attack, a Microsoft Exchange Server attack and the Colonial Pipeline ransomware attack were all uncovered.
In December 2020, cybersecurity company FireEye (now Mandiant) revealed a massive and extremely sophisticated supply chain cyber attack launched by a nation-state via the SolarWinds Orion network management system (NMS). SolarWinds was the leading NMS in both business and government. FireEye’s disclosure was unique. They had not discovered the breach through detached research, but by being victimized by it. The subsequent list of victims was enormous.
Russian-government-backed APT 29 attackers (also known as Cozy Bear, UNC2452 and Nobelium) injected the SolarWinds’ software build environment with malware. This enabled attackers to gain access to the networks, systems and data of thousands of SolarWinds customers. Since then, it’s been described as the biggest attack in history. Tends of thousands of organizations use the software. To oversimplify how the attack worked, attackers breached SolarWinds’ networks in September of 2019. The next month, they injected malware called Sunburst into Orion, an IT performance monitoring system offered by SolarWinds. Then in March 2020, SolarWinds itself sent out Orion updates containing the malware.
Another attack, the Log4j vulnerability, also spurred action as a poster child for the threat of compromised supply chains and open-source vulnerabilities. Log4j is a popular Java library used for logging in applications. The attackers discovered a remote code execution vulnerability and other vulnerabilities. This lets them gain remote access to devices and applications for stealing data or deploying ransomware.
As a result, the National Security Council called a White House summit in January and a second in May. The initiative brought together more than 90 executives from 37 companies and government leaders in the Open Source Software Security Summit II on May 12. Participating companies included Atlassian, Cisco, Dell, Ericsson, GitHub, Google, IBM, Intel, Microsoft, SAP and others.
The purpose of the meeting, in brief, was threefold:
- To reduce security vulnerabilities in open-source software
- To boost the integration of security features in open-source software development tools
- To speed up fixes.
In more detail, their goals included a comprehensive improvement of open-source security production and specific fixes.
Google Cloud committed during the meeting to the establishment of an Open Source Maintenance Crew. This team of engineers will collaborate with open-source coders to boost security. They also rolled out a new software supply chain dataset available to open-source developers.
At the May gathering, the Linux Foundation and Open Source Security Foundation unveiled a $150 million 10-point plan to improve open-source and supply chain security over the next two years. Other companies unveiled their own initiatives as well.
A long way yet to go
This massive industry effort is making progress, but we still have a long way to go. Some critics complain of inadequate time, money and staff.
By its very nature, the remedy advanced in the Open Source Software Security Summit II is multifaceted, complex, long-term and involves a huge number of players. After all, changing how people build open-source software takes time. Different organizations have different timelines, most of which are works in progress.
SolarWinds itself is revamping all its processes around security and is actively working with its customers to help them improve security.
A recent global survey of 1,000 chief information officers found that 82% say their organizations are still vulnerable to supply chain cyberattacks. However, a solid majority is implementing more security controls, updating review processes and expanding their use of code signing. More than 90% of supply chain-facing software applications use open-source components today.
Ongoing outcomes for an open-source world
In general, the U.S. government and businesses are making some progress. However, it’s too early to make a serious dent in open-source and supply chain vulnerabilities. As the government and the industry evolve to improve open-source security, the bad actors also evolve in response.
There’s room for hope, however. The recent high-profile cyberattacks, two Biden Administration executive orders and two security summits are truly lighting a fire under organizations public and private.
What’s needed now is renewed resolve, more funding and possibly more regulatory or industry action to respond to future attacks. Organizations also need to recognize what problems can leave them vulnerable. Acting fast could prevent the next SolarWinds attack.