Optus, Medibank – and supply chains flying under the radar
While repercussions from the recent hacker attacks on Australia's Optus and Medibank are still resounding as media writers estimate ever higher damage costs, attacks on supply chain targets are flying under the radar.
Yet they are becoming the biggest concern in cyber security for both the public and private sectors globally.
In the wake of the attack on private health assurance firm Medibank, Australia's cybersecurity minister Clare O'Neil warned of a new world "under relentless cyber-attack".
Globally, the technological research and consulting firm Gartner predicts that by 2025, nearly 45% of organisations worldwide will have experienced attacks on their software supply chains, demonstrating the critical action the industry needs to take to remedy the issue.
Recent data also showed that software supply chain attacks increased 300% year-over-year in 2021 and are growing, with a notable attack occurring recently when North Korean hackers weaponised open source software.
Despite efforts in the past two years to combat such attacks, according to one report more than one-third of organisations have been exploited due to a known open source software vulnerability in the last 12 months and 28% have been impacted by a zero-day exploit.
The tech industry has mobilised groups, including OpenSSF to improve the resiliency and security of open source software via workgroups, town halls, guides and trainings.
In the USA, the White House has taken action to enhance software supply chain security with a recent executive order.
According to evidence garnered by my company, there is a growing demand for better software supply chain security.
As threats to the software supply chain escalate, and with government regulations in the form of executive orders (EO 14028) mandating proper action to be taken, CISOs are compelled to develop and deploy better strategies to secure this area of significant weakness.
After years of discussions about DevSecOps, 2023 will bring wide adoption as securing software rises to the top of the CISO priority list. Along with this will come adoption of new technologies that enable DevSecOps and help companies contend with the onslaught of threats to the software supply chain. CISOs will prioritise spend on solutions for software composition analysis, SBOMs, and securing the toolchain, and they will look for better ways to measure the health of open source components.
We've seen time and again how business demands guide technology innovation, and along with this advance come new areas of risk. In recent years, increasing pressure to deliver software faster has widened attack surfaces and introduced severe vulnerabilities — much like in the early days of cloud adoption.
New tools, languages and frameworks that support rapid development at scale are being targeted by malicious actors, who understand the catastrophic impact that results from attacks to the software supply chain.
In 2023, software supply chain threats will continue to be a significant area of concern. We will see fewer sophisticated attacks like SolarWinds and more attacks like those targeting Log4J, Spring4Shell and OpenSSL, which are used massively across code and production. These attacks have a larger potential blast radius to allow hackers to impact entire markets and wreak havoc for organisations.