Hack Spurs Call for Greater—but Measured—Supply Chain Scrutiny 

Hackers’ resounding success penetrating a third party to access targeted government and private-sector organizations by using malware that had never been seen before should prompt a comprehensive examination of supply chain security, according to the chief technology officer of a major cybersecurity contractor.      

McAfee CTO Steve Grobman told Nextgov the government should look to find “where we can significantly raise the bar, but also do things that are practical to execute without putting all of the key technology companies out of business because the regulations become so extreme that it's impossible to practically become compliant.”

That would be among “some of the balancing acts that we need to circumnavigate as we start looking at the aftermath [of the hacking campaign and] what do we do next,” Grobman said, emphasizing a need to “take a step back and really map the full lifecycle.” 

The novel supply chain maneuver that compromised IT management company SolarWinds—widely used across the federal government—comes as the Federal Acquisitions Security Council starts establishing criteria to inform exclusion and removal orders and the 2021 National Defense Authorization Act would require the Defense Department develop a process for code security reviews.

Hackers were able to broadly distribute their malware via a security update that acted as a Trojan horse. They demonstrated an astonishing degree of sophistication, researchers agree, but may also have been able to exploit some low hanging fruit. The password for the update server was reportedly "solarwinds123," for example, highlighting operational cybersecurity hygiene as an important supply chain security factor to consider.   

“We need to have a more holistic discussion on what are ways that we can have greater confidence that the cyber hygiene of the complete supply chain is operating at higher levels of integrity,” Grobman said. “It's not just about the code and what builds the code and the product, but the operational hygiene of running these organizations and businesses.”

But it is definitely also about the code. Grobman noted the risks presented by the government’s use of open-source code and said it’s important to ask how to better inspect open-source software. 

“So much of the technology that commercial software is based on is open source and can have contributions from all sorts of different parties, from all over the world,” he said. “If you're an adversarial nation … if you can craft a vulnerability such that it looks like an accidental mistake, and then get it into technology that will flow into many different products, that's the holy grail of a supply chain attack.” 

But Grobman cautions regulators to think realistically about how they might apply more scrutiny to the supply chain, raising that ever-present bane of cybersecurity policy: the workforce shortage. 

“Part of my worry is, we'll have legislators that will come up with a solution that is not practical, you know, they'll say something like, we need a third-party independent code audit of all software used by the federal government,” he said. “Well, the problem is there's billions of lines of code and not that many auditors, so, you know, you might have a desire that is completely nonexecutable.”

The Defense Department’s solution for such a dilemma is the Cybersecurity Maturity Model Certification program.  

The CMMC program is a wide-reaching initiative that would eventually require every company that does business with the Defense Department to get certified that they meet certain cybersecurity standards. To certify the vast number of companies within the defense industrial base, the department opted for third-party auditors but some companies have questioned how much it will cost them and whether these auditors could have conflicts of interest.

The program is headed up by Katie Arrington, the chief information security officer for the DOD’s office of acquisition and sustainment, who often notes it’s only a matter of time before CMMC is adopted by other federal agencies. 

Asked during a recent webinar whether there were plans to expand CMMC to focus more on supply chain security elements that include hardware and software, she said: “Absolutely.” 

“CMMC was the start,” she said. “We have many ongoing efforts in securing the supply chain. The CMMC is giving primes cement to stand on when they’re talking to their suppliers, their subs about their maturity and what they’re thinking about. Getting a software [bill of materials] is something that is right on the cusp.”

If the Senate overrides a presidential veto of the NDAA—the chamber has until noon on January 3rd—the defense bill would task the undersecretary of Defense for acquisition and sustainment, in coordination with DOD’s chief information officer, with developing software security criteria.

That should include “delineation of what processes were or will be used for a secure software development lifecycle, including management of supply chain and third-party software sources and component risks; and an associated vulnerability management plan or tools,” according to the legislation.