policy-brief
Government’s Role in Increasing Software Supply Chain Security: A Toolbox for Policy Makers
Authors
Dr. Alexandra Paulus
Programmes
Published by
Interface
March 02, 2023
Software has become a cornerstone of the systems that are essential to modern society. Like many other products, software is the result of complex international supply chains. There are unique characteristics of the software-developing ecosystem that make software supply chains particularly vulnerable: First, software-developing entities rely significantly on software components developed, delivered, and maintained by others. Besides this, software-developing entities often do not prioritize security when developing their products, which is why software-using entities often find it difficult to assess the security of a given software based solely on the information provided to them. In addition, the supply chain can be compromised at different stages of the software development life cycle, which makes securing software supply chains a tough challenge.
Software supply chain compromises such as SolarWinds or Log4Shell can have large-scale impact: an initial compromise of one entity in the chain violates the confidentiality, integrity, and availability of data further down the software supply chain, often affecting multiple organizations and sectors across national borders. Software supply chain compromises have led to, inter alia, ransomware operations on software-using entities and to the unauthorized access to sensitive customer data and proprietary source code. The perpetrators of such compromises are malicious actors with criminal, political and economic espionage, and sabotage objectives.
Given these threats, software supply chain security poses an urgent problem to policy makers. For too long, the issue has been seen mainly as a problem for vendors to resolve. But recently, policy makers have started to recognize that this field is also ripe for policy interventions, as shown by the US president’s 2021 Executive Order 14028 on Improving the Nation’s Cybersecurity and by the European Commission’s 2022 draft of the Cyber Resilience Act. Still, the possibility for government action for increasing software supply chain security extends further than the elements of these initiatives.
In this analysis, we develop a toolbox that combines diverse instruments with targeted government action to be practical guidance for policy makers. This toolbox approach has the advantage that policy makers can choose instruments suited to their respective positions, considering, for example, available resources and capabilities.
After reviewing the instruments and the possibilities for government action, we have compiled three sets of policy priorities that policy makers should focus on, providing three levels of ambition that cater to different national venture points.
Whichever level policy makers choose, policies on software supply chain security will often be most effective when international coordination and cooperation are considered from the start. Emblematic examples of this include the harmonization of regulation on CVD to facilitate cross-border vulnerability disclosure or the international coordination of public procurement guidelines. In many cases, like-minded coalitions will provide the most promising starting point for international dialogue on these issues. Progress on this issue can also contribute to advancing multilateral cyber diplomacy. As all UN member states have already agreed back in 2015 that governments should take steps to increase the security of software and hardware supply chains, it is high time that policy makers act on this commitment by developing concrete national policies.
Authors
Dr. Alexandra Paulus
Project Director "Cybersecurity Policy and Resilience"
Christina Rupp
Senior Policy Researcher Cybersecurity Policy and Resilience