CYBERSECURITYUndetected and Dormant: Managing Australia’s Software Security Threat
At the same time as software has become integral to our prosperity and national security, attacks on software supply chains are on the rise. Software supply chain attacks are popular, can have a big impact and are used to great effect by a range of cyber adversaries.
Software has spread to almost every aspect of our lives—from our watches to our combat aircraft—and nearly every organization, from the Department of Defense to your local shopfront, relies on software to operate. It is no longer confined to laptops or computers. Software now controls the operations of power plants, medical devices, cars and much of our national security and defense platforms.
At the same time as software has become integral to our prosperity and national security, attacks on software supply chains are on the rise.
A software supply chain attack occurs when an attacker accesses and maliciously modifies legitimate software in its development cycle to compromise downstream users and customers. Software supply chain attacks take advantage of established channels of system verification to gain privileged access to systems and compromise networks. Traditional cybersecurity approaches, such as those deployed on the perimeter, have limited capability to detect these attacks since they often leverage legitimate certificates or credentials and so don’t raise any ‘red flags’.
Software supply chain attacks are popular, can have a big impactand are used to great effect by a range of cyber adversaries. Attackers can sit undetected on networks for months and deliver remote-code execution into target environments. Efforts to disrupt or exploit supply chains—including software supply chains—have become a ‘principal attack vector’ for adversarial nations seeking to take advantage of vulnerabilities for espionage, sabotage or other malicious activities.
The growing prevalence of sophisticated supply chain attacks, like SolarStorm and Not Petya, has seen governments around the world increasingly focused on identifying and mitigating risks to the software supply chain.
In the US, a recent executive order requires government agencies to purchase only software that meets secure development standards to protect government data. To support the order, in February the National Institute of Standards and Technology issued guidance that provides federal agencies with best practices for enhancing the security of the software supply chain. Two guidelines were released: the Secure software development framework and the companion Software supply chain security guidance.