Trey Herr, Atlantic Council
Society has a software problem. Since Ada Lovelace deployed the first computer program on an early mechanical device in the 1840s, software has spread to every corner of human experience. With that software come security flaws and a long tail of updates from vendors and developers. Unlike a physical system that is little modified once it has left the factory, software is subject to continual revision through updates and patches. Software supply chain security remains an underappreciated domain of national security policymaking. This talk explores 115 software supply chain attacks and vulnerability disclosures from the past decade to sum up where we are and how far we still have to go. Software supply chain attacks are popular, they are impactful, and are used to great effect by states, especially China and Russia. The implications for the technology industry and cybersecurity policymaking community are a crisis in waiting. The solution is not panic nor is it a moonshot, but rather a renewed focus on software supply chain security practices, new investment from public and private sectors, and revisions to public policy that emphasize raising the lowest common denominator of security behavior while countering the most impactful attacks.
Trey Herr, Atlantic Council
Dr. Trey Herr is the Director of the Cyber Statecraft Initiative at the Atlantic Council. His team works on the role of the technology industry in geopolitics, cyber conflict, the security of the internet, and cyber safety. Previously, he was a Senior Security Strategist with Microsoft handling cloud computing and supply chain security policy as well as a fellow with the Belfer Cybersecurity Project at Harvard Kennedy School and a non-resident fellow with the Hoover Institution. He holds a Ph.D. in Political Science and BS in Musical Theatre and Political Science.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Trey Herr},
title = {Breaking Trust {\textendash} Shades of Crisis Across an Insecure Software Supply Chain},
year = {2021},
publisher = {USENIX Association},
month = feb
}