By Andreas Kuehn, and Alexandra Paulus
For software development platform provider CircleCI, this year began with a scramble to respond to a software supply chain compromise. CircleCI’s tens of thousands of customers use the continuous integration and delivery (CI/CD) platform for automating the building, testing, and deployment of software. A malicious actor had gained remote access to an employee’s laptop and was consequently able to access customer data, including private keys used for software signing and credentials stored in the platform.
Among CircleCI’s several affected customers was Datadog, a company that provides software for monitoring cloud infrastructure. As a result of the attack on CircleCI, Datadog had to notify its customers that its systems had been rendered partially vulnerable. This case illustrates the potential impact of software supply chain compromises: One incident can have ramifications further down the supply chain, impacting not only the customers of the originally targeted software-developing entity but also their customers’ customers (and so forth). This is a lesson that the international cybersecurity policy community had learned the hard way in previous years, for instance, following the discovery and subsequent exploitation of a vulnerability in the widely used open-source software library Log4j. This component is part of a wide range of software supply chains, so malicious actors were able to exploit the same vulnerability for cryptomining, botnet building, and ransomware purposes, affecting organizations and individuals worldwide.
Governments and industry have become increasingly aware of the security risk that software supply chains can cause if not managed properly. One of the five pillars of the 2023 U.S. National Cybersecurity Strategy, for example, is to “shape market forces to drive security and resilience.” Among other things, the recently released strategy mentions implementation of labeling schemes for Internet of Things devices and a shift in liability for insecure software products that would put responsibility on companies. These are key components in strengthening supply chain security. However, the strategy does not specify how to put these objectives into practice. The strategy’s principles are consistent with the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA’s) recent calls for private companies to step up measures to prevent software supply chain compromises. The core of CISA’s argument holds that technology providers must build products that are “secure by default” and “secure by design.” CISA also announced that it is building a new supply chain cyber risk management office, highlighting its focus on the issue.
These are worthwhile efforts. But there is nonetheless much wider room for government action and specific measures that can and must be leveraged to strengthen software supply chain security. As security flaws keep software and entire supply chains vulnerable, it is time now for policymakers to set regulatory lanes for developers to build safe and secure technology. They must create incentives for the private sector to prioritize software supply chain security, deter insecure practices and negligent behavior, and help coordinate among industry, government, and civil society stakeholders according to their respective roles. The new U.S. National Cybersecurity Strategy details important strides in this direction. Concrete government actions and policy interventions should start with those areas that are most critical to the secure, safe, and smooth function of key digital infrastructure that is of benefit to modern society. With this in mind, we make recommendations for where policymakers should start and how to prioritize supply chain security measures.