The US must adopt Software Bill of Materials to thwart cyberattacks
On Feb. 17, a remarkable White House press briefing addressed possible executive action in the wake of the SolarWinds hack, the most systematic hack of the U.S. government in history. Anne Neuberger, deputy national security advisor for cybersecurity and emerging technology, described it as “more than a single incident of espionage” with the potential to lead to crippling, destructive cyberattacks by Russia.
SolarWinds is the latest victim of a series of hacks against software supply chains. These attacks are possible because software has become so complex that software vendors have lost track of all the code that goes into them. To address this, the U.S. government and software industry must immediately adopt the emerging Software Bill of Materials (SBOM) standard, which they have been working on together since 2019. The United States must be an early adopter to push the global ecosystem forward.
Computers keep getting faster, and software keeps getting more complex. The software on your computer is built from around 500 million lines of code. In 2015, Wired Magazine reported that all of Google’s online services were built from around 2 billion lines of code.
To cope with this complexity, today writing code is more like building with LEGOs. Coders write modules to perform certain tasks and either share them freely online or sell them to other programmers. Each of these modules is like a LEGO brick that is used to build something bigger. More and more bricks are added, and eventually you end up with software like Microsoft Windows or online services like Facebook.
Over time, we’ve completely forgotten about bricks lost inside a complex design, and we lose track of where they came from.
A glaring example of this is Chinese software company Huawei. Researchers discovered 79 different versions of the exact same encryption module in one of Huawei’s products, with many of the older versions vulnerable to the notorious HeartBleed hack from 2014. While Huawei disputes the impact of these results, it is clear that we have a problem as an industry.
SolarWinds is just the latest example where hackers, most likely the Russians, penetrated SolarWinds’ software build systems and snuck extra bricks into the design. These modules were designed to phone home to Moscow and await further instructions.
The U.S. government has been working on the SBOM standard jointly with industry to keep track of all these bricks. A Software Bill of Materials gives you an inventory of every module used in a complex piece of software, and you can use it to identify if any of those bricks are vulnerable to known hacks or come from sketchy sources. For the first time we can start to measure the cyber risk hidden within billions of lines of code.
With the SBOM standards slated to be finalized later this year, the U.S. government must work with software vendors to implement these improved security standards for the software products and services they deliver. Every piece of software sold to the U.S. government must come with a manifest of its bricks. Software with bad bricks should be rejected.
When a new hack is uncovered, cyber defenders can use these software manifests to identify precisely which systems in the U.S. government are vulnerable. Those responsible for cyber accreditation can use this information to measure and manage cyber risk.
But the ramifications of adopting these standards go far beyond protecting the U.S. government. Corporations can use the information to better manage risks from their suppliers. Cyber insurance underwriters can use the information to better assess premiums. Inventors can better track intellectual property through the software supply chain. We can start a chain reaction that gets bad code out of the software that fuels our global economy.
Software vulnerabilities have been with us for more than three decades, since the Morris Worm crippled internet servers in 1988. We cannot tolerate it any longer. The course of action in the Software Bill of Materials standard, taken during a bona fide national cyber emergency, could finally get us one step closer to the security our critical systems desperately require.
Dr. Charles Clancy is Senior Vice President and Chief Futurist at MITRE where he leads MITRE Labs. He is a former cybersecurity professor at Virginia Tech and research scientist at the National Security Agency.
Rick Ledgett is the former Deputy Director of the National Security Agency. He currently serves as a Senior Visiting Fellow at MITRE.
Gloss