May 12th 2021
It just may be that we’ll look back at this date as the start of something significant. It may just be the date when the world finally decided that cyber-attacks had crossed the line from being a nuisance to being a real threat to the modern world.
May 12 was when the US government finally acknowledged the situation and Joe Biden, the US president, signed an executive order entitled “Executive Order on Improving the Nation’s Cybersecurity”. To be clear, although this executive order is couched towards defending the interests of the USA it’s going to impact everyone. Governments everywhere will follow suit and all of us in the software industry are going to feel the effects. It’s not going to affect your life tomorrow today but it might tomorrow. Over the next couple of years attitudes to software consumption, production and delivery are going to be change radically. That’s going to change your life.
Before getting into the details of the executive order and its consequences I need to explain the reasons behind the need for the order.
The scale of cybercrime
The scale of cybercrime, the number of attacks, the sheer amount of money being made by the attackers often passes people by. I often compare cyber-crime to the illicit drug trade.
Way back in 2015 the estimates were that the numbers were similar. That the 450 odd billion dollars being made by drug cartels and all the people involved in the supply process was matched by about the same being made the the cyber-criminals. That should have been the first alarm bell. Unfortunately, we mostly ignored this warning. Maybe because of the virtual nature of cybercrime it’s not seen as being as ‘real’ as the obviously harmful consequences of illicit drugs. More concerning in 2015 were the predictions of what heights cybercrime would achieve. Then the guess for 2021 was something like 6 trillion dollars. That’s 13x growth.
However you cut that number it’s a huge impact on the global economy. Did our predictions come true?
Not quite. It turns out that 6 trillion dollars was spot on but only as the amount one type of cybercrime, the type of attack called ‘Ransomware’, brings in. For various reasons which will become evident later, our estimates were woefully low and our ability to estimate the actual scale is hampered. A number that sometimes comes up as ‘the true scale of cybercrime’ is 35 trillion dollars. If 6 trillion was hard to get your mind around then 35 trillion is truly mind blowing. If accurate that’s about 4400 dollars per person across the globe.
The new reality of the world economy
Although the financial impact of cybercrime is huge it’s not the exclusive or even primary trigger behind this executive response. The main reason is what the success of cybercrime has shown us about the pervasive of software and the ultimately naive expectations of its creators. Software is everywhere and everything runs on software. I’m sure you’ve heard things like that. Other statements such as “we are all software companies now” demonstrate the modern reality. You name it, somewhere there is software involved in making it, growing it, delivering it, using it, recycling it.
There is software running in the tiny electronic microprocessors embedded in everyday items in your kitchen. Your TV is ‘smart’.
You have a phone, maybe a tablet, laptop or a desktop computer, a games console? A home assistant like Amazon’s Alexa? Do you have central heating? What’s controlling that?
Then we have the supply chain that got your latest purchase to your door or the store. That’s all driven by software. Got a car? That can have upwards of 200 microprocessors. What about the fuel pumps at the local fuel station: software there too. However you paid for the fuel an enormous amount of software was used to allow you to make that transaction. How about the traffic lights you stopped at or the barrier that let you out of the office car park.
This is the modern world and it really does run on software
Everything we do is facilitated, organised, controlled, optimised, managed, secured by software. All aspects of daily life, our health systems, the military, food production, finance. You name it – it can’t happen without software. What is more, most if not all the software used is open source. As an example, Java applications usually rely on frameworks, tools and other dependencies that are all open-source. Often a Java application is 90% open source.
For many years open-source has driven innovation across the globe. Based mostly on a common desire to create great software that can make the world a better place. Open-source communities have achieved amazing things and have fundamentally changed how the world of software operates. Unfortunately, some of the key strengths, those of trust and openness, are being used against it.
Proactive and sophisticated bad apples
We’ve lived with the issues of inadvertent vulnerabilities in the code we use for some time. Now though the bad guys have become impatient and are actively creating their own backdoors and other vulnerabilities. They do this by exploiting the inherent trust we have in open-source communities. The assumption that anyone who contributes is doing it for a good reason. The assumption that any code downloaded will do what it claims and nothing else, certainly nothing bad.
That assumption is no longer true. Active, sophisticated and well-funded groups are targeting open-source projects and the people in the community. Using social engineering techniques or simply exploiting the high levels of trust that are the default among many.
Thinking critically of open-source
No longer is it possible to rely on assuming the best about the software used. Choices made in selecting open-source components have to move beyond the simple functional to include how that software was created, what processes the projects use, how contributions are reviewed. In general, an assessment of the quality and quality processes must be made as well deciding if the functionality is valuable. Open source is the primary target because of the ease of attack and the all-pervasive nature of open-source in the working of the world.
This is the reason while we have the executive order. Not just to stave off unprecedented levels of theft and extortion but to make the world safer. The success of cybercrime has demonstrated to nation states and other political groups that our modern world runs on software which is uniquely vulnerable to attack and exploitation. Every Ransomware attack demonstrates the ease with which some part of a supply chain can be compromised. Every exploited vulnerability, every successful insertion of malware, every compromised open-source project. All have shown, over and again, that the software and systems we use are readily vulnerable.
Imagine if, instead of a ransomware attack loud announcing its success, that it quietly installed some hidden remote control or monitoring software. Imagine the same happening across the supply chain we rely on. Getting into transport control systems, Hospital appointment software. That little bit of software that controls the brakes in your car.
Now imagine if, instead of just stealing data from a database the attack added new records, created new national identities, credit-cards, driver licences. How about adding software that, when the time comes, subtly changing the data in your bank account or just deleted it.
The next war could start as a cyber war
The relative ease with which these scenarios and many more could come true is what is driving governments to act. Don’t think this is just about defence. The world military has woken up to the new reality and is trying to defend against and exploit the situation.
It’s all very scary. Not only from the consequences for the future but also because ‘fixing’ the problem is going to take a long time and have profound effects on everyone in the software industry.
Finally, the executive order
Let’s get to the gist. The executive order is about securing the process by which software is created and provided. It’s about creating secure software supply chains, demonstrating the use of correct processes, and providing an auditable evidence chain. Every piece of software used to create software is in scope. A term you’re going to hear a lot of from now on is “SBOM”: Software Bill of Materials.
The requirement is to create a digitally signed document that explains the software included in or used to create yours. Every dependency and tool, all their dependencies, their tools etc. Including the operating environment, build process etc will eventually be included.
The little catch here is that providing a SBOM for your application as a stand-alone document is not sufficient. Every part of your SBOM that refers to a third-party element must also provide the SBOM reference for that element. That means it’s not good enough for you to comply. All your dependencies must too.
As if that wasn’t enough the processes used to create software must be automatic (i.e. no human interaction) with built in vulnerability checking and demonstratable strong controls over the use of all third party software and services.
Having a certified chain of evidence that connects an application to the projects and specific releases that constitute its parts, dependencies and build history will make it significantly easier to find software at risk and to be more certain that the code running is the code intended to be. Taking the simple step of producing, including, and checking digital signatures is reasonably straightforward and has been available to us for some time.
Producing an SBOM is also straightforward. The executive order mandates the use of either CycloneDX or SPDX as a SBOM data format. Both have tool ecosystems that are growing, and both have maven plugins.
Everything as code
The requirement to remove human interaction (aka manual steps) from the process is intended to stop the unseen injection of malware etc. Automation here is not about having code flow seamlessly from repository to deployment. It’s about removing any part of your build or deployment process where code, binaries etc could be out of sight. For instance, If a step is to copy, by hand, a binary from one server to another. Then that step must be automated. A person can still initiate the process, but the actions must be scripted, controlled, visible and auditable.
Longer term effects
The longer-term consequences come from the requirement for everycomponent to improve its process around safer software development.
Every component, every tool will eventually have to provide An SBOM, use an automaticsupply chain process, provide evidence of software integrity, demonstrate regular audit processes, show evidence of an automatic vulnerability check process, have a vulnerability disclosure program, show evidence on the providence of all software used and finally, demonstrate strongcontrols over the use of internal and third-party software and services.
This is a significant burden to any project and especially to smaller ones but every open-source project will feel the pressure to comply and those that don’t will get left behind. The world is moving from open-source at any cost to only using compliant code.
The extra effort required to provide compliant code may be too much for many of the smaller, one-person components. Maybe the industry will step in and help provide the tools and support so that open-source projects do not get overwhelmed. Maybe we will see companies provide the curation and validation of open-source projects and offer trusted versions. Maybe we’ll see the number of open-source projects getting created become less and maybe we’ll see open-source foundations provide an umbrella for those that need it.
Whatever happens no one expects this to be easy or quick to implement but there is little choice. The executive order is the starting gun for change. Over the next few years how we produce software is going to change dramatically. The expectation is that by 2024 all software used by the US government will have to provide the necessary evidence of compliance. Expect all other governments to follow suit.