In your pocket, you have hundreds of pieces of open-source software created by persons all around the globe. Don’t believe us? Take your iPhone out of your pocket or borrow a friend’s. Go to Settings → General → Legal & Regulatory → Legal Notices. Scrolling through this 8451-line document, a long list of licenses associated with each component will take you minutes. By our count, there are 527 open-source components in the iPhone, made by universities, companies and individuals across the world, some known only by aliases. Our analysis found that 92 countries are associated with the 5590 open-source software developers we counted in this supply chain.
This modern marvel is also, unfortunately, a weakness. These components are potential openings for vulnerable or malicious code to slip into the software supply chain that the US government and critical infrastructure depend upon. This is why the recently introduced Critical Technology Security Centers Act is a welcome initiative.
It’s a bill that will create specialized centers to find and eliminate vulnerabilities in open-source software used by the government and provide grant funding to those seeking to secure the open-source software ecosystem.
How Open-Source Software Got in Your Pocket
Open-source software is publicly available for anybody to modify and share. It allows software developers to skip the time-consuming step of writing out the code for every single facet of their project and instead focus their time and energy on the problem they’re trying to solve.
It is an open secret that nearly all modern software and electronics are built on top of open-source software; industry research estimates that 70-90% of the code in modern software is open-source. In our digital world, this even includes the code on which the US military depends, modern cars and Internet of Things home devices. In other words, software can contain thousands of open-source ‘dependencies,’ outside components that the software depends on to function. Each dependency often has its own set of dependencies. And as a software’s scale grows, tracking every component becomes harder and harder.
Weak Links in the Supply Chain
Because of this growing complexity, the risks presented by the prevalence of open-source software are growing. Gone are the days when attackers needed you to visit a sketchy website to deliver a malicious payload; now, they need to place it in the software that one of your apps depends on. According to an Atlantic Council report, documented attacks on open-source software increase yearly.
There is also a large attack surface of unintentional vulnerabilities for attackers to exploit. The 2017 Equifax hack, in which attackers believed to be affiliated with the Chinese military stole hundreds of thousands of US citizens’ personal data, was one such attack that took advantage of a security hole left unpatched by negligent code maintainers. Many fear that the 2021 Log4shell vulnerability, which arguably prompted the introduction of the bills such as the Critical Technology Security Centers Act, will lead to the next Equifax-scale hack.
The software supply chain’s reliance on other people’s code also means that a small oversight by one person can affect millions of people. For example, a popular software package called event-stream was modified by attackers to steal Bitcoin in 2018. Though it averaged 2 million downloads a week, only one person maintained it. Thankfully, in this case, somebody spotted an abnormality and raised the alarm. Given the size and scale of the supply chain and hackers’ sophistication, should we assume that society’s good luck streak will continue?
Hardening the Chain
Since it’s now clear that software security is national security, policymakers are taking note. Recent developments in the US government are encouraging: the National Institute of Standards and Technology (NIST) has developed a set of recommendations to make software development more secure, and the 2021 Executive Order on Improving the Nation’s Cybersecurity mobilized efforts across the government and industry.
Additionally, the US government has been helping promote software bill of materials (SBOMs) to map out the components in a given piece of software, including all
dependencies and those dependencies’ dependencies. The Department of Homeland Security is already helping push SBOM use into the mainstream by providing monetary support to improve SBOM tooling and create a set of accessible resources on SBOM creation for developers. On the legal side, shifting the onus of responsibility for breaches from open-source creators to software vendors that do not contribute to the code’s creation or maintenance can help align incentives between creators and non-contributing users.
The Critical Technology Security Centers Act is the logical next step for the US government. This act sensibly sets up research centers funded by the Department of Homeland Security for specialists to vet the open-source software (in addition to other mission-critical software and hardware) that the government and critical infrastructure increasingly relies on. Such activities can reduce the frequency and severity of compromises associated with vulnerabilities in critical open-source software.
Software underpins many of the comforts and innovations of modern life, but its reliance on inconsistently-vetted outside components poses a risk that is amplified by software’s ubiquity. This is a ticking logic bomb. Moving slowly on this growing threat invites extreme consequences for all of society. It’s time for the US government to comprehensively address the security weaknesses in the software supply chain while it still can.