Breaking Trust – Shades of Crisis Across an Insecure Software Supply Chain

Society has a software problem. Since Ada Lovelace deployed the first computer program on an early mechanical device in the 1840s, software has spread to every corner of human experience. With that software come security flaws and a long tail of updates from vendors and developers. Unlike a physical system that is little modified once it has left the factory, software is subject to continual revision through updates and patches. Software supply chain security remains an underappreciated domain of national security policymaking. This talk explores 115 software supply chain attacks and vulnerability disclosures from the past decade to sum up where we are and how far we still have to go. Software supply chain attacks are popular, they are impactful, and are used to great effect by states, especially China and Russia. The implications for the technology industry and cybersecurity policymaking community are a crisis in waiting. The solution is not panic nor is it a moonshot, but rather a renewed focus on software supply chain security practices, new investment from public and private sectors, and revisions to public policy that emphasize raising the lowest common denominator of security behavior while countering the most impactful attacks.