Agencies underscore software vulnerabilities in supply chain assessments
Several Cabinet agencies published reports Thursday citing the current software ecosystem as a key weakness across supply chains crucial to U.S. economic prosperity and national security.
The departments of Commerce and Homeland Security found open-source software and firmware within the information and communications technology (ICT) industry vulnerable to exploitation by foreign adversaries and crime groups in their joint report, while the Department of Energy‘s report deemed untrusted software developers a key vulnerability within the clean energy supply chain.
President Biden’s executive order on America’s Supply Chains issued in February 2021 gave seven Cabinet agencies a year to assess six critical industries for supply chain vulnerabilities, software being a big one.
“The ubiquitous use of open-source software can threaten the security of the software supply chain given its vulnerability to exploitation,” reads Commerce and DHS’s report. “Furthermore, the complexity of the ICT supply chain has led many original equipment manufacturers (OEMs) to outsource firmware development to third-party suppliers, which introduces risks related to the lack of transparency into suppliers’ programming and cybersecurity standards.”
The pandemic revealed an overreliance on software developers with opaque supply chains and a high risk of “cascading effects” should their products be compromised, according to DOE’s report.
For that reason Commerce and DHS recommended increasing investment in domestic software development, which already accounts for 40% of the U.S. workforce but is still seeing a talent shortage.
DOE recommended developing new supply chains for emerging technologies like machine learning and artificial intelligence with cybersecurity in mind, given the fact that energy sector systems are increasingly interconnected and automated.
“With the increasing application of AI/ML capabilities to the operation and defense of U.S. energy sector systems, and the centrality of DOE AI/ML research and development efforts (at DOE National Laboratories) to national and economic security, a proactive approach to ensuring cybersecurity and integrity of the global supply chain for data is critical,” reads the report.
The report further advised DOE partner with other agencies to create an Energy Sector Industrial Base Database and analytical and decision-modeling capabilities while increasing oversight.
Commerce and DHS suggested promoting cybersecurity-supply chain risk management (C-SCRM) practices through procurement and monitoring efforts, including the establishment of a Critical Supply Chain Resilience Program at the former.
Similarly the Department of Defense called cyber posture “essential” to mission success in its report and stressed a focus on C-SCRM to counter threats presented by suppliers, their products and subcomponents, and the supply chain itself. That’s especially true for high-priority suppliers and integrators of missile systems and munitions, according to the assessment.
More than 220,000 companies make up the defense industrial base.
“The size and complexity of defense procurement activities offer numerous pathways for adversaries to access sensitive systems and information,” reads DOD’s report. “New entry points for U.S. adversaries are created daily as companies use technologies in new and innovative ways across supply chains.”
To that end DOD recommended improving cyberthreat intelligence with more detailed Validated Online Lifecycle Threat (VOLT) reports and quarterly cyberthreat intelligence briefings of program offices and key acquisition officials. The department further advised increasing sharing of unclassified and classified cyber intelligence by growing its Cyber Crime Center (D3C) Defense Collaborative Information Sharing Environment (DCISE) and the National Security Agency’s Cybersecurity Collaboration Center.
DOD also plans to increase interagency partnerships, develop international cyber approaches, and require timely and complete incident reporting from its contractors — while making cyber expectations clearer for them during the procurement process.
“To leverage commercial sector innovations, and to embed modernizing technologies in weapon systems, the DOD will work, where possible, to limit its use of military-unique requirements when developing performance requirements,” reads its report.
