Back in 2022, President Biden’s Executive Order 14028, “Improving the Nation’s Cybersecurity,” made headlines alongside the White House memorandum requiring agencies to improve the security and integrity of the software supply chain.
Some months on, how has this new guidance impacted the state of cybersecurity and the supply chain in 2023?
There are signs that there has been some help to organizations so they can become far more resilient to attacks arising from the supply chain.
Reviewing developments impacting upon supply chain security for Digital Journal is Jon Geater, Chief Product and Technology Officer at RKVST.
Controlling risk
According to Geater a renewed focus is required for compliance risk management, as he notes: “Software vendors can no longer hide their shortcomings, and software users can no longer hide from their responsibilities if they choose to deploy something inappropriate. Although there’s still a way to go, we are definitely now on a road on which the digital supply chain is recognized as being as critical as the physical one: suppliers must supply quality, and consumers must take control of their own risk.”
Software supply chain threats
“Companies and governments around the world are waking up to the fact that the software they use to run their enterprise operations, and power the hardware and software solutions that they use and deliver to customers, represents significant risk”, observers Geater.
Drawing on example, Geater cites: “The Log4j threat and Kaseya and SolarWinds supply chain attacks have made that very clear, and Gartner expects 45% of organizations worldwide to have experienced attacks on their software supply chains by 2025. In a move to address the growing software supply chain threat, expect organizations across the private and public sectors in 2023 to create and demand from their suppliers software bills of materials; start to share and process those SBOMs in an automated, scalable fashion; and go beyond point-in-time software ingredient lists to understand the provenance of the software they use and supply so that they can more accurately assess and address their risk and start implementing supply chain integrity, transparency and trust across all aspects of their offerings and operations.”
Automation
Looking deeper at company developments, Geater finds: “Businesses in 2023 will gain a greater appreciation for what’s possible when they implement integrity, transparency and trust in a standard, automated way to decrease their software supply chain risk. And they will take that understanding and experience to begin exploring how they can then apply this same model to the physical world in areas such as nuclear waste tracking.”
Supply chain attacks
In terms of cybersecurity, there are some continuing vulnerabilities. According to Geater: “It’s not all about ‘supply chain attacks.’ Actually, most of the problems come from mistakes or oversights originating in the supply chain which then open the target to traditional cyberattacks. It’s a subtle difference, but an important one. I believe that the bulk of discoveries arising from improvements in supply chain visibility next year will highlight that most threats arise from mistake, not malice.”
