In recent years, securing hardware supply chains for critical infrastructure and defense systems has been a primary focus. However, the software powering these systems presents an equally pressing, yet often overlooked, concern.

There are two fundamental security risks with most software products today:

• An over reliance on open-source software
• Use of foreign software programmers and foreign software manufacturers

The last decade has seen a fundamental product development shift — the extensive use of open-source software. This crowd-sourcing effort has made the cost of software development quicker, faster, and potentially riskier.

One fundamental risk is that you are relying on others to adequately validate that the software is error free. Since this is done for “free” by the community, the verification process can range from being done well to being done very poorly (and every level in between), which leads to software code instability and insecurity.

A prime example of this is the node.js library. According to a 2022 Dark Reading article, researchers at Johns Hopkins University reported that they found 180 different zero-day vulnerabilities that were spread across thousands of Node.js libraries. If you’re not familiar with Node.js, it’s a fairly well distributed set of libraries that were initially created in 2011. With what should have been a large amount of review over 11 years, 180 zero-day flaws is a lot of risk to discover, especially if you are a product manufacturer delivering software solutions to the military or other government departments.

What about all of the other open-source libraries being used? Not only could there be a lot of accidental “ticking timebombs” out there, but there could also be zero-day flaws discovered by bad actors (especially some foreign governments) that are deliberately not reported so that the bad actors can use those flaws at a later date for nefarious purposes.

This issue extends beyond open-source software. The increasing role of Chinese companies in developing software across various sectors, including those deemed critical, raises additional concerns. A study by Fortress Information Security revealed that a staggering 90% of the software products they reviewed for United States electric power companies (which included information technology (IT) and operational technology (OT) products) contained components developed by individuals from either China or Russia.

This involvement creates worries about potential backdoors being intentionally inserted into the software, data exfiltration, or even the capacity to disrupt these systems, particularly during times of conflict. It also highlights a concern that foreign governments could pressure businesses to compromise their software for nefarious purposes. Additionally, individuals acting independently with malicious intentions could introduce vulnerabilities.

Even when the source of the software is known, ensuring its integrity can be challenging. Sophisticated actors can exploit vulnerabilities to gain unauthorized access or manipulate data, compromising sensitive information and disrupting critical operations. The potential consequences of such breaches, particularly in defense, intelligence, and critical infrastructure, could be catastrophic.

So, what can be done about the two problems? Organizations must prioritize working with companies committed to developing and delivering secure, trustworthy software, including those that:

• Prioritize rigorous security standards and certifications: Look for companies that adhere to internationally recognized security standards like ISO 9001:2015 and possess relevant certifications, such as the DoD Authority to Operate (ATO). Axellio, for example, holds both ISO 9001:2015 certification and DoD Authority to Operate (ATO) for multiple products, demonstrating a commitment to providing secure solutions for sensitive government and defense applications.
• Focus on domestic development and customization: U.S.-based companies can offer greater transparency and control over the software development process, minimizing reliance on foreign components and reducing potential risks associated with supply chain vulnerabilities. This approach ensures that sensitive code remains within U.S. jurisdiction. Axellio’s focus on domestic development ensures that our software, like the PacketXpress^® network intelligence platform, is developed entirely within the US.
• Reduce the use of open-source software: Organizations should develop software internally (where they know the provenance of the code) or seek partners who can provide customizable solutions that meet security requirements. Axellio’s code is primarily home grown, creating a very secure solution, free of foreign actor backdoors.

So how does the industry move forward? Addressing software supply chain risks requires a multi-faceted approach. We need to implement more rigorous vetting processes, especially for critical systems. Supporting U.S.-based software development for key industries is crucial, as is collaborating to improve security practices. Most importantly, we must raise awareness among decision-makers about the importance of software supply chain security. As we continue to secure our digital infrastructure, we need to remember that the integrity of our software is just as crucial as the hardware it runs on. By prioritizing “Made in America” software and addressing the complex challenges of our global software ecosystem, we can build a more resilient and secure digital future.