In its final days, the Biden administration has issued an important executive order (EO) focused on strengthening key areas of the federal government’s approach to cybersecurity for risks such as software acquisition, supply chains, and the need for better detection and response tools.
The need for secure supply chains has been a long-recognized issue but was perhaps most starkly illustrated last year when Hezbollah supply chains were infiltrated, resulting in communications devices that exploded when used. Other examples include the well-known SolarWinds attack, the Mirai botnet attacks (malware responsible for major distributed denial of service attacks) and the 2021 Colonial Pipeline ransomware attack on an American oil supply system. And lastly, the Aliquippa, Pennsylvania water authority whose Israeli-developed Unitronics device used as a communications interface with critical infrastructure used to gain “partial control” of water regulators.
This is where supply chain risk management and cyber risks meet. While some of these may seem like extreme examples, it’s easy to see how infiltrations into government software supply chains with tactics such as the injection of malicious code could result in devastating consequences. It’s never been more clear that the risks within cyber can have physical impacts due to the interdependencies of software, government systems and critical infrastructure.
The U.S. government supply chain represents a complex and expansive network of vendors, suppliers, and service providers that play a critical role in supporting the strategic objectives of the country, including protection of the nation’s critical infrastructure such as wastewater management, energy production, and manufacturing. However, this intricate web of interconnected entities also provides a huge attack surface with numerous entry points for potential cyber threats. The proliferation of internet-exposed systems and devices within this supply chain further exacerbates the risk that each connected asset could potentially serve as a gateway for adversarial actors to infiltrate the broader network. We’ve been fortunate that critical infrastructure technology requires unique skillsets to manage and operate, thus we haven’t seen a proliferation of critical infrastructure attacks.
Given the extent and criticality of software used by the U.S. government, the cybersecurity challenge is immense. Nation-state adversaries may employ sophisticated tactics, techniques, and procedures such as the introduction of software backdoors into mission-critical government systems. They may target smaller suppliers within the supply chain, exploiting those with weaker security measures to gain access that could allow them to introduce malicious code.
The EO puts in place important procedures to help ensure the security of software used within government agencies. It calls on software providers to submit machine-readable attestations on their software development practices as well as a list of their federal civilian executive branch (FCEB) agency software customers to the Critical Infrastructure and Security Agency (CISA). Within 30 days of the publication of this requirement, the Department of Homeland Security will develop a program to verify and validate all attestation forms.
The new order from the President also requires agencies to inventory all information systems in a centralized registry that would be maintained either by CISA, the Department of Defense or a “national manager.” Parties will share their inventories as appropriate to identify gaps or overlap in oversight coverage.
These key requirements will give the government a strong tool to help ensure the integrity of the software used by FCEB agencies, as well as a helpful inventory of where that software is deployed and an understanding of the full extent of this attack surface. This is essential for effectively mitigating supply chain risks and ensuring the success of government missions.
This EO represents a positive step and recognition of the importance of a multifaceted approach to software supply chain security strategy that incorporates robust vendor risk assessments, continuous monitoring, and the adoption of advanced security frameworks. Thorough vendor risk assessments require comprehensive security audits of all vendors and suppliers within the supply chain to evaluate the vendors’ cybersecurity practices, adherence to industry standards, and overall risk posture. In that regard, requirements for attestation and a centralized registry will help minimize the likelihood of adversaries introducing vulnerabilities and potential for exploitation.
To bolster the effectiveness of these new requirements, agencies should also continue to focus on adopting existing cybersecurity models such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and the government’s Zero Trust framework. Within the supply chain, a Zero Trust architecture operates on the principle that no entity—whether internal or external— should be trusted by default. By implementing Zero Trust principles, agencies can significantly reduce the risk of unauthorized access and lateral movement within the software supply chain.
Censys is uniquely positioned to help our government clients overcome these cybersecurity challenges with powerful tools for internet-wide scanning, asset discovery, and vulnerability management to offer insights into internet exposure comprising their unique attack surface. By providing a real-time, comprehensive view of an organization’s entire digital infrastructure, Censys allows them to visualize their cyber terrain in a way that highlights risks, prioritizes response actions, and enables proactive defense planning.
We at Censys applaud the steps the new EO puts in place to address the growing risks and challenges related to the government’s software supply chain and other vulnerabilities. We look forward to working with our federal government clients to successfully address these issues.
