The software supply chain has gained significant attention in 2022 following high-profile vulnerabilities and attacks that targeted a range of industries. Following these incidents, US President Joe Biden published Executive Order 14208 as the first step in a flurry of legislative and regulatory guidance, advisories, and mandates in an attempt to rapidly uplift the security and integrity of the supply chain. A brief timeline explaining the list of publications launched in a targeted campaign by the U.S. Authorities to address an issue that had been overlooked for far too long can be found here: A timeline of federal guidance on software supply chain security.
It is clear however, that both the supply chain and broader existential threat of cyber attacks bear no borders. As a result, we have now seen oversight bodies in the UK and Europe begin to follow suit by ensuring organisation’s within their remit are taking appropriate steps to protect the global software ecosystem.
In this article, we explore the existing guidance published by legal and regulatory bodies in the UK and Europe regarding supply chain risk management (SCRM), as well as how organisations can prepare for emerging requirements coming down the pipeline.
Historically, there has been limited industry agnostic, EU wide legislation or regulation that has covered the need to secure the supply chain, let alone the software within it. In fact, it was not until 2016 that the European Commission proposed the first iteration of the Network and Information Security (NIS) directive addressing the broader cyber landscape. In alignment with other guidance to date, NIS did not specifically highlight the security risk posed by the supply chain. In fact, it suggested that software within the supply chain only enhanced an organisation's security posture, contributing to the “Inherent Trust” phenomenon that still plagues the security industry today:
"While hardware manufacturers and software developers are not operators of essential services, nor are they digital service providers, their products enhance the security of network and information systems. Therefore, they play an important role in enabling operators of essential services and digital service providers to secure their network and information systems."
Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016
We have since come to understand that the exact opposite is true. Software does not inherently improve the security of our network, information systems, and essential services that it may underpin. Instead, because software is inextricably intertwined with these systems, it is actively targeted by malicious actors who want to maximise the blast radius of their attack. As a result, software arguably poses the largest threat to business operations beyond any other element of the supply chain.
We have recently observed a change in Europe’s attitude towards the security risk posed by the supply chain. As described in the European Commission's strategy on ‘Shaping Europe’s digital future’, a vital factor of economic success stems from enabling organisations to trust the digital products they are consuming, including the software components that may be embedded within those products. Although this focus on security and digital trust has not materialised into any formal legislation or mandatory requirements for the software supply chain, a variety of research and guidance has been released over the last 24 months which indicates a recognition of the issue and need for change:
Who: The European Union Agency for Cybersecurity, ENISA, is the EU's agency dedicated to achieving a high common level of cybersecurity capabilities across Europe.
When: Published July 29, 2021
What: ENISA performed an in depth study of supply chain attacks that were discovered from January 2020-July 2021, investigating attack techniques used, supplier types and assets targeted, and threat actors involved. The study also aims to develop a standard taxonomy for classifying supply chain attacks in order to better analyse and compare them in a systematic manner.
Key Takeaways:
Who: The Department for Digital, Culture, Media & Sport (DCMS) helps to drive growth, enrich lives and promote Britain abroad. A key objective of DCMS is to drive the UK’s connectivity, telecommunications and digital sectors in a secure manner.
When: 11 July 2021
What: DCMS research (including the 2021 Cyber Security Breaches Survey) had identified that businesses of all sizes were not adequately protecting themselves against cyber attacks, particularly attacks originating in their supply chains. As a result, while the government prepared a new National Cyber Strategy, DCMS was assigned the responsibility to gather industry input on how organisations within the UK manage supply chain cyber risk and what additional government intervention would enable organisation’s to do this more effectively.
Key Takeaways:
Who: The National Cyber Security Centre (NCSC) is a government agency set up to help protect the UK's critical services from cyber attacks, manage major incidents, and improve the underlying security of the UK Internet through technological improvement and advice to citizens and organisations.
When: 22 March 2022
What: Referenced in the draft version of Telecommunications Security Code of Practice (measures 5.01 and 10), this publication provides guidance for how to assess the security of networking equipment, including the software embedded within it.
Key Takeaways:
Who: The National Cyber Security Centre (NCSC) is a government agency set up to help protect the UK's critical services from cyber attacks, manage major incidents, and improve the underlying security of the UK Internet through technological improvement and advice to citizens and organisations.
When: 12 October 2022
What: This guidance describes practical steps to help organisations better assess cybersecurity in their supply chains. It’s aimed at medium to large organisations who need to gain confidence or assurance that mitigations are in place for vulnerabilities associated with suppliers.
Key Takeaways:
Who: The European Union Agency for Cybersecurity, ENISA, is the EU's agency dedicated to achieving a high common level of cybersecurity capabilities across Europe.
When: 11 November 2022
What: Following an eight-month threat foresight exercise, ENISA published an analysis of the top 10 top cybersecurity threats likely to emerge by 2030.
Key Takeaways:
Noted within the DCMS Call for Views on Supply Chain Cyber Security, it is broadly recognized that more detailed policy enforcement is required from oversight bodies to enact change. Both the UK and EU have taken notice of this need and are in the process of rolling out new regulatory and legislative requirements surrounding software supply chain security to take effect in coming years. Below, we highlight a few examples of emerging change on the horizon:
Who: European Commission
When:
What: The long awaited update to NIS (the first piece of EU-wide legislation on cybersecurity) is being implemented to ensure more stringent supervisory measures and stricter enforcement requirements (as a fragmented adoption by member states caused failure with NIS 1).
Impact: Member States are granted discretion to levy administrative fines for breaches of up to 10M EUR or 2% of total worldwide annual turnover (whichever is higher) for instances of infringement with the directive.
Relevance to Software Supply Chain: The need to “address the security of supply chains” is a fundamental driving force behind the refresh of current NIS guidelines. The proposed language states, “Addressing cybersecurity risks stemming from an entity’s supply chain and its relationship with its suppliers is particularly important given the prevalence of incidents where entities have fallen victim to cyber-attacks and where malicious actors were able to compromise the security of an entity’s network and information systems by exploiting vulnerabilities affecting third party products and services”. This need to address cyber risk would extend to the software which underpins these products and services.
Who: European Commission
Why: Existing EU cyber legislation has substantial gaps regarding the security of products with digital elements
When:
What: This proposal for a regulation on cybersecurity requirements for products with digital elements bolsters cybersecurity rules, ensuring more secure hardware and software products. Although the nature of how the act will be enforced is still pending review, the preferred option noted within the draft proposal involves the mandatory third-party assessment for critical products (including their embedded software) based on a cost/benefit analysis and the desire for market transparency.
Impact: The non-compliance with the essential cybersecurity requirements laid down in Annex I and the obligations set out in Articles 10 and 11 shall be subject to administrative fines of up to 15M EUR or, if the offender is an undertaking, up to 2.5% of its total worldwide annual turnover for the preceding financial year, whichever is higher.
Relevance to Software Supply Chain: Annex I of the proposed regulation outlines a list of cybersecurity requirements expected to be achieved for products which contain a digital element. This list includes various elements surrounding the security and integrity of software including, but not limited to, ensuring that software is:
Note: The examples above are not an exhaustive representation of the current or future landscape of cybersecurity laws and regulations. For example, the examples provided do not include industry or sector specific requirements, such as the Digital Operational Resilience Act (DORA) for financial institutions or The Electronic Communications (Security Measures) Regulations 2022 specific to network and service providers.
Several regulators within the UK and EU, including the Prudential Regulatory Authority (PRA) and European Banking Authority (EBA), advocate for the principle of proportionality when managing supply chain risk. This principle states that supply chain risk should be overseen with a level of effort and due diligence that is proportional to the risk that a unique supplier presents to an organisation's business operations.
In order to adopt this approach, organisations often design a risk segmentation model. This allocates enterprise suppliers into “tiers” based on a variety of risk elements so that assurance activities can be targeted to oversee the most critical risk business relationships. The traditional scope of segmentation models focuses on two distinct qualifiers:
Although these risk elements are a great foundation for understanding the threat that may be imposed by a third-party, they overlook the commercial off the shelf software (COTS) supplier type which we know from experience poses a significant risk to organisations. As these COTS suppliers traditionally do not have access to data or connectivity to a network, they tend to be allocated into the lowest risk tier, therefore receiving limited oversight.
It is recommended that organisations expand their segmentation approach to cover characteristics that are unique to software. The following is a list of software risk elements included in a draft bill created by the US Congress that can be used as a framework when considering what characteristics to include:
Once software suppliers are in-scope for monitoring, organisations should evaluate their assessment processes to make sure they address the unique risk presented by a specific supplier type. Far too often, organisations make the mistake of building a one size fits all programme to monitor supplier security risk. Although this may make it easy to compare the security posture of one supplier to another (e.g. apples to apples), it overlooks the uniqueness of the relationship, product, or service that is provided that contributes to its risk profile. In fact, it may be detrimental to compare the security maturity of two suppliers that are inherently different as it may negatively influence procurement decision making if the comparison is built off a correlation with no significance (e.g. apples to oranges).
In fact, the UK NCSC guidance on “How to assess and gain confidence in your supply chain cyber security” suggests exactly this. It states the the following:
"Supply chains can be complex, and may involve many different organizations working in very different ways. As a result, there is not really a ‘one size fits all’ approach to assessing supply chain cyber security risk. You should therefore seek to understand risks to your supply chain based on what your suppliers provide to you and the relationship you have with them."
A theme introduced by various of the aforementioned oversight bodies, organisations should shift their focus from only using questionnaire based assessments, which primarily focus on business process oriented controls (e.g. background check policy, leavers processes, etc.), to product and service specific risk assessments.
For example, if you engaged with a supplier to acquire a COTS software product, a targeted assessment should include the following activities that are unique to the software product consumed:
History has shown that malicious actors have found success in breaching software supply chains throughout various stages of the software development, packaging, delivery, and use lifecycle. The security risks posed by software suppliers is not stagnant, and will continue to change over time as they begin to adopt new processes, onboard new tool chains to support development, and hire new employees to scale their operations. As such, it is important that organisation’s broaden their scope of assurance activities beyond a single point in time assessment to gain continuous coverage of risk throughout the lifecycle supplier engagement.
This concept of continuous supplier monitoring, materialises throughout various industry control frameworks (e.g. NIST 800-161 Control CA-2), regulatory guidelines (e.g. EBA Outsourcing Guidelines and DORA), and legislative requirements (e.g. Executive Order 14028). A simple way of demonstrating continuous monitoring in the context of COTS providers can be achieved by the following two-step process:
ReversingLabs, the market leader in software supply chain security, has teamed up with PricewaterhouseCoopers LLP (a limited liability partnership incorporated in England) (“PwC”)) to help businesses gain visibility and control over their software supply chain. PwC provides market leading advisory and managed services in Third Party Risk Management (TPRM) and works with many of the world’s largest and most complex organisations. Working together, ReversingLabs and PwC will help customers modernise traditional TPRM programs that struggle to keep pace with the complexities and interconnectedness of the modern software supply chain.
If you have questions about how to effectively manage software supply chain security risk, please contact us for help.
Penny Flint
Partner, Financial Services and Third Party Risk Management, PwC United Kingdom
Tel: +44 (0)7803 858309
Ian Trinder
Director, Resilience & Risk Management, PwC United Kingdom
Tel: +44 (0)7483 401097
Charlie Jones
Director of Product Management, ReversingLabs, PwC United Kingdom
Tel: +44 (0)7483 421805