The US must adopt Software Bill of Materials to thwart cyberattacks
Following the SolarWinds Russian espionage campaign against the US government, the White House addressed possible executive action on February 17 in response to the most systemic hack of the US government in history. However, experts have criticized the Software Bill of Material’s (SBOM) ability to prevent similar incidents, or worse, from taking place. SolarWinds represents the latest example of when foreign adversaries were able to penetrate US government systems, and researchers have observed an upward trend in the intensity of hacks against the US government. This requires an update to the SBOM.
The SBOM is essentially an inventory of every module used in a complex piece of software, which can be used to identify which bricks are vulnerable to known hacks or originate from unsecured sources. It allows entities to measure the cyber risk hidden within billions of lines of code, a technique that could be critical to mitigating future attacks. However, as software continues to increase in complexity, the amount of code rises, requiring constant updates to the SBOM. The SBOM standards are set to be finalized later this year, however, experts claim the US government needs to work with software vendors to ensure that these improved security standards are implemented universally.
According to experts, the ramifications of adopting SBOM standards that promote cybersecurity best practices go beyond protecting the US government. They may become a key part of a corporation’s cybersecurity strategy, utilizing the information to better manage risks from their suppliers. Cyber insurance underwriters may also use the information to asses premiums while consumers can track intellectual property. In short, the course of action outlined in the SBOM standard represent a step in the right direction in terms of elevating security on critical systems following a national cyber emergency and may help root out bad actors from the supply chain entirely.