{"id":72506,"date":"2022-05-11T06:00:07","date_gmt":"2022-05-10T20:00:07","guid":{"rendered":"https:\/\/www.aspistrategist.ru\/?p=72506"},"modified":"2022-05-10T17:49:30","modified_gmt":"2022-05-10T07:49:30","slug":"undetected-and-dormant-managing-australias-software-security-threat","status":"publish","type":"post","link":"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/","title":{"rendered":"Undetected and dormant: managing Australia\u2019s software security threat"},"content":{"rendered":"<figure><img loading=\"lazy\" decoding=\"async\" width=\"1280\" height=\"853\" class=\"alignnone size-full wp-image-72509\" src=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/05\/security-g89d0b2b67_1280.jpg\" srcset=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/05\/security-g89d0b2b67_1280.jpg 1280w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/05\/security-g89d0b2b67_1280-205x137.jpg 205w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/05\/security-g89d0b2b67_1280-1024x682.jpg 1024w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/05\/security-g89d0b2b67_1280-768x512.jpg 768w, https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/05\/security-g89d0b2b67_1280-332x221.jpg 332w\" sizes=\"(max-width: 1280px) 100vw, 1280px\" \/><\/figure>\n<p>Software has spread to almost every aspect of our lives\u2014from our watches to our combat aircraft\u2014and nearly every organisation, from the Department of Defence to your local shopfront, relies on software to operate. It is no longer confined to laptops or computers. Software now controls the operations of power plants, medical devices, cars and much of our national security and defence platforms.<\/p>\n<p>At the same time as software has become integral to our prosperity and national security, attacks on software supply chains are on the rise.<\/p>\n<p>A software supply chain attack occurs when an attacker accesses and maliciously modifies legitimate software in its development cycle to compromise downstream users and customers. Software supply chain attacks take advantage of established channels of system verification to gain privileged access to systems and compromise networks. Traditional cybersecurity approaches, such as those deployed on the perimeter, have limited capability to detect these attacks since they often leverage legitimate certificates or credentials and so don\u2019t raise any \u2018red flags\u2019.<\/p>\n<p>Software supply chain attacks are popular, <a href=\"https:\/\/www.atlanticcouncil.org\/in-depth-research-reports\/report\/breaking-trust-shades-of-crisis-across-an-insecure-software-supply-chain\/#attacks\" target=\"_blank\" rel=\"noopener\">can have a big impact<\/a> and are used to great effect by a range of cyber adversaries. Attackers can sit <a href=\"https:\/\/arstechnica.com\/information-technology\/2017\/09\/devs-unknowingly-use-malicious-modules-put-into-official-python-repository\/\" target=\"_blank\" rel=\"noopener\">undetected on networks for months<\/a> and deliver <a href=\"https:\/\/www.kaspersky.com\/about\/press-releases\/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world\" target=\"_blank\" rel=\"noopener\">remote-code execution<\/a> into target environments. Efforts to disrupt or exploit supply chains\u2014including software supply chains\u2014have become a \u2018<a href=\"https:\/\/homeland.house.gov\/imo\/media\/doc\/Testimony-Kolasky1.pdf\" target=\"_blank\" rel=\"noopener\">principal attack vector<\/a>\u2019 for adversarial nations seeking to take advantage of vulnerabilities for espionage, sabotage or other malicious activities.<\/p>\n<p>The growing prevalence of sophisticated supply chain attacks, like <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/12\/solarwinds-statement-solarstorm\/\">SolarStorm<\/a> and <a href=\"https:\/\/arstechnica.com\/information-technology\/2017\/07\/heavily-armed-police-raid-company-that-seeded-last-weeks-notpetya-outbreak\/\" target=\"_blank\" rel=\"noopener\">Not Petya<\/a>, has seen governments around the world increasingly focused on identifying and mitigating risks to the software supply chain.<\/p>\n<p>In the US, a <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2022\/04\/software-development-standards\/?utm_medium=social&amp;utm_source=LinkedIn&amp;utm_campaign=software-development-standards-blog\" target=\"_blank\" rel=\"noopener\">recent executive order<\/a> requires government agencies to purchase only software that meets secure development standards to protect government data. To support the order, in February the National Institute of Standards and Technology issued guidance that provides federal agencies with best practices for enhancing the security of the software supply chain. Two guidelines were released: the <em>Secure software development framework<\/em> and the companion <em>Software supply chain security guidance<\/em>.<\/p>\n<p>The executive order directs the US Office of Management and Budget to take appropriate steps to require that agencies comply with the guidelines within 30 days. This means that federal agencies must begin adopting the framework and related guidance immediately while customising it to their agency-specific risk profile and mission. Vendors that supply software to the US government will soon also have to attest to meeting these guidelines.<\/p>\n<p>In the Australian context, however, software supply chain risks remain largely underappreciated and unaddressed. So, what two key things could the Australian government do to manage these risks?<\/p>\n<p>First, it should update government procurement policies and processes to manage software supply chain risks.<\/p>\n<p>The government should ensure that there are adequate mechanisms to assess software supply chain risks early in the acquisition or procurement process. At the later stages of the acquisition process, which in some cases can be years later, a supply chain risk may be realised and the government may be overly committed to the solution of choice\u2014forcing it to either pay significant costs to remove the risk or attempt to manage the risk. Strengthening references to the importance of software supply chain risks in key procurement policies would support the government to make more informed purchasing decisions and embed risk management practices at the early stages of the acquisition process.<\/p>\n<p>In particular, the government should consider adopting the US guidelines and integrate them into its procurement policies and practices. These documents are intended to help government agencies get the necessary information from software producers in a form that can help guide risk-based decisions. The recommendations span many types of software, along with firmware, operating systems, applications and application services, among other things.<\/p>\n<p>Procurement processes should include asking software companies about their product integrity practices. This could include key questions about their internal processes and oversight mechanisms to mitigate the risk of modification during the development lifecycle and whether they undertake third-party testing to ensure that security vulnerabilities are identified earlier in the process?<\/p>\n<p>The government should also take steps to protect source code integrity by understanding whether vendors have shared their unique intellectual property as a condition of market access. Increasingly, we have seen instances of countries implementing new requirements\u2014most notably, mandates to review or even hold source code\u2014as a condition to sell technology to certain parts of <a href=\"https:\/\/www.csis.org\/analysis\/how-chinese-cybersecurity-standards-impact-doing-business-china;\" target=\"_blank\" rel=\"noopener\">their market<\/a>. Widespread source code disclosure, however, could actually weaken security, since source code can be leveraged to detect and exploit vulnerabilities in software used by organisations globally. Currently, the Australian government doesn\u2019t have visibility as to whether companies it deals with have shared their source code with foreign governments\u2014posing a potential security risk.<\/p>\n<p>Procurement policies should be amended to identify the companies that have shared the source code of their unique intellectual property with governments as a condition of access to certain markets. A similar approach is being taken by the <a href=\"https:\/\/www.govinfo.gov\/content\/pkg\/BILLS-115hr5515enr\/html\/BILLS-115hr5515enr.htm\" target=\"_blank\" rel=\"noopener\">US government<\/a>.<\/p>\n<p>Second, the Australian government should establish practices and procedures to regularly review business-critical software.<\/p>\n<p>While some organisations might look at how a company manages its software supply chain at the point of purchase, few would undertake regular and continuous reviews of these practices. However, as we have seen from global attacks, regular reviews of key software companies\u2014their culture and software development practices\u2014may be helpful in preventing exposure to supply chain attacks.<\/p>\n<p>As part of this review process, the government could collaborate with vendors of critical software on risk-based principles, including relevant changes to their software development practices or key \u00a0personnel changes (for example, the chief security officer leaving the organisation). It should also consider the \u2018red line\u2019 for removing software from its environment\u2014in other words, at what point or risk level would an agency reconsider having a particular software product, and who can sign off on removing it?<\/p>\n<p>As our world becomes increasingly digitised and connected, attacks on software supply chains are only set to increase. Compromising them can be an effective technique to gain widespread and undetected access to networks and systems. These risks are particularly acute for the defence and national security communities, which depend on software for key functions such as surveillance, data analytics and weapon systems, most of which is developed in the private sector.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Software has spread to almost every aspect of our lives\u2014from our watches to our combat aircraft\u2014and nearly every organisation, from the Department of Defence to your local shopfront, relies on software to operate. It is &#8230;<\/p>\n","protected":false},"author":1553,"featured_media":72509,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[1],"tags":[391,2138,301,2750],"class_list":["post-72506","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-cyber","tag-cybersecurity","tag-national-security-2","tag-supply-chain"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Undetected and dormant: managing Australia\u2019s software security threat | The Strategist<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Undetected and dormant: managing Australia\u2019s software security threat | The Strategist\" \/>\n<meta property=\"og:description\" content=\"Software has spread to almost every aspect of our lives\u2014from our watches to our combat aircraft\u2014and nearly every organisation, from the Department of Defence to your local shopfront, relies on software to operate. It is ...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/\" \/>\n<meta property=\"og:site_name\" content=\"The Strategist\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ASPI.org\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-10T20:00:07+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-05-10T07:49:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/05\/security-g89d0b2b67_1280.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"853\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Sarah Sloan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:site\" content=\"@ASPI_org\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sarah Sloan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\",\"url\":\"https:\/\/www.aspistrategist.ru\/\",\"name\":\"The Strategist\",\"description\":\"ASPI&#039;s analysis and commentary site\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.aspistrategist.ru\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-AU\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/#primaryimage\",\"url\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/05\/security-g89d0b2b67_1280.jpg\",\"contentUrl\":\"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/05\/security-g89d0b2b67_1280.jpg\",\"width\":1280,\"height\":853},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/\",\"url\":\"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/\",\"name\":\"Undetected and dormant: managing Australia\u2019s software security threat | The Strategist\",\"isPartOf\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/#primaryimage\"},\"datePublished\":\"2022-05-10T20:00:07+00:00\",\"dateModified\":\"2022-05-10T07:49:30+00:00\",\"author\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/34efaf2ef43d4d1c747a93fd3fce0525\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/#breadcrumb\"},\"inLanguage\":\"en-AU\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.aspistrategist.ru\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Undetected and dormant: managing Australia\u2019s software security threat\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/34efaf2ef43d4d1c747a93fd3fce0525\",\"name\":\"Sarah Sloan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-AU\",\"@id\":\"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/aad8b44b0bc2af77d916e0c534eca9a9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/aad8b44b0bc2af77d916e0c534eca9a9?s=96&d=mm&r=g\",\"caption\":\"Sarah Sloan\"},\"url\":\"https:\/\/www.aspistrategist.ru\/author\/sarah-sloan\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Undetected and dormant: managing Australia\u2019s software security threat | The Strategist","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/","og_locale":"en_US","og_type":"article","og_title":"Undetected and dormant: managing Australia\u2019s software security threat | The Strategist","og_description":"Software has spread to almost every aspect of our lives\u2014from our watches to our combat aircraft\u2014and nearly every organisation, from the Department of Defence to your local shopfront, relies on software to operate. It is ...","og_url":"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/","og_site_name":"The Strategist","article_publisher":"https:\/\/www.facebook.com\/ASPI.org","article_published_time":"2022-05-10T20:00:07+00:00","article_modified_time":"2022-05-10T07:49:30+00:00","og_image":[{"width":1280,"height":853,"url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/05\/security-g89d0b2b67_1280.jpg","type":"image\/jpeg"}],"author":"Sarah Sloan","twitter_card":"summary_large_image","twitter_creator":"@ASPI_org","twitter_site":"@ASPI_org","twitter_misc":{"Written by":"Sarah Sloan","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"https:\/\/www.aspistrategist.ru\/#website","url":"https:\/\/www.aspistrategist.ru\/","name":"The Strategist","description":"ASPI&#039;s analysis and commentary site","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.aspistrategist.ru\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-AU"},{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/#primaryimage","url":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/05\/security-g89d0b2b67_1280.jpg","contentUrl":"https:\/\/www.aspistrategist.ru\/wp-content\/uploads\/2022\/05\/security-g89d0b2b67_1280.jpg","width":1280,"height":853},{"@type":"WebPage","@id":"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/","url":"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/","name":"Undetected and dormant: managing Australia\u2019s software security threat | The Strategist","isPartOf":{"@id":"https:\/\/www.aspistrategist.ru\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/#primaryimage"},"datePublished":"2022-05-10T20:00:07+00:00","dateModified":"2022-05-10T07:49:30+00:00","author":{"@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/34efaf2ef43d4d1c747a93fd3fce0525"},"breadcrumb":{"@id":"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/#breadcrumb"},"inLanguage":"en-AU","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.aspistrategist.ru\/undetected-and-dormant-managing-australias-software-security-threat\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.aspistrategist.ru\/"},{"@type":"ListItem","position":2,"name":"Undetected and dormant: managing Australia\u2019s software security threat"}]},{"@type":"Person","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/34efaf2ef43d4d1c747a93fd3fce0525","name":"Sarah Sloan","image":{"@type":"ImageObject","inLanguage":"en-AU","@id":"https:\/\/www.aspistrategist.ru\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/aad8b44b0bc2af77d916e0c534eca9a9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/aad8b44b0bc2af77d916e0c534eca9a9?s=96&d=mm&r=g","caption":"Sarah Sloan"},"url":"https:\/\/www.aspistrategist.ru\/author\/sarah-sloan\/"}]}},"_links":{"self":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/72506"}],"collection":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/users\/1553"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/comments?post=72506"}],"version-history":[{"count":3,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/72506\/revisions"}],"predecessor-version":[{"id":72510,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/posts\/72506\/revisions\/72510"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media\/72509"}],"wp:attachment":[{"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/media?parent=72506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/categories?post=72506"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aspistrategist.ru\/wp-json\/wp\/v2\/tags?post=72506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}