With software supply chain attacks on the rise, the UK government is proposing new rules to mitigate the threat of breaches through trusted software that’s been tampered with by cyberattackers.
The Department for Digital, Culture, Media and Sport (DCMS) has put out a call for views on the new rules, which may require IT service provides and managed services providers (MSPs) to undergo the same cybersecurity assessments that critical national infrastructure providers do.
“As supply chains become interconnected, vulnerabilities in suppliers’ products and services correspondingly become more attractive targets for attackers who want to gain access to the organisations,” the government said. “Recent high-profile cyber incidents where attackers have used Managed Service Providers as a means to attack companies are a stark reminder that cyber threat actors are more than capable of exploiting vulnerabilities in supply chain security, and seemingly small players in an organisation’s supply chain can introduce disproportionately high levels of cyber risk.”
SEE: Network security policy (TechRepublic Premium)
DCMS research found that only 12% of organizations vet suppliers for cybersecurity risks, and only about 5% address the vulnerabilities in their wider supply chain.
The UK government is particularly concerned about the risks posed to the nation’s businesses and agencies from IT outsourcing, pointing to attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider.
The new rules could mean that MSPs will need to meet the UK’s Cyber Assessment Framework (CAF), putting this sector alongside cyber requirements imposed on UK critical infrastructure providers.
The CAF aims to ensure relevant sectors have policies to protect devices and prevent unauthorised access, ensure data is protected at rest and in transit, securing backups, and cybersecurity training for staff.
The UK’s National Cyber Security Center (NCSC) in February warned that supply chain attacks are on the rise, pointing specifically to attacks on software build pipelines.
SEE: Ransomware just got very real. And it’s likely to get worse
Software supply chain risks came into focus after hackers breached SolarWinds’ enterprise network monitoring software Orion to compromise key US government agencies and the nation’s top cybersecurity firms. Microsoft president Brad Smith called the attack, which the US and UK have blamed on Russian intelligence, “a moment of reckoning” for the US tech and cybersecurity sector.
The US is also on high alert over software supply chain attacks, given SolarWinds’ impact on the US tech sector, and the ransomware attack on Colonial Pipeline. US president Biden last week signed an executive order that mandates federal agencies to implement multi-factor authentication within 180 days and encrypt data both at rest and in transit.
Tech companies are also facing potentially disruptive new laws in Australia via the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which would encompass cloud providers along with traditional critical infrastructure operators. Microsoft has objected to the proposed legislation because it would allow government agencies to direct a company’s response to a cyberattack and request information from it. Cisco, Salesforce and Amazon Web Services (AWS) are also lobbying against the bill.