Cybersecurity remains an afterthought. What will it take to make it a priority?

Cyberattacks on the software supply chain — which includes everything from code, configurations and open-source components to libraries, plugins and container dependencies — are not just a business problem, but a national security problem that puts our families, friends and communities at risk. 

The number of software supply chain attacks has exploded over the last few years, with threat actors increasingly seeing it as an easy and lucrative target. Cybercrime has developed into a nearly $10 trillion industry for good reason. Attacks like SolarWinds, MOVEit, Okta and, more recently, the attempted XZ Utils backdoor, underscore the enormous impact of threats to the software supply chain. 

Cybercriminals’ focus on software has pushed the U.S. public sector to raise alarm bells about the nation’s inability to keep threats at bay. Calling attention to the fact that bad actors from China, North Korea and Russia are determined to wreak havoc on American infrastructure, federal agencies, including the FBI and CISA, are adamant that organizations improve their cyber hygiene. FBI Director Christopher Wray went so far as to say that foreign threat actors attacking and shutting down critical services is the “defining threat of our generation.” The message is clear: we are sitting ducks for a successful nation-state attack. 

Unfortunately, despite the urgency for better cybersecurity practices from governing bodies, organizations in charge of our critical infrastructure continue to fall short in their efforts to protect themselves. In fact, recent inspections from the EPA found that more than 70% of our major water systems have critical cybersecurity vulnerabilities, and this isn’t unique to the water sector. Poor security practices leave our power grids, cell towers and gas lines susceptible to an attack of such magnitude, which poses an important question: how do we hold organizations accountable? 

Human Nature Has Organizations Failing to Take Action

To determine accountability, we must first understand why organizations are not prioritizing cybersecurity in the first place — the root cause lies in human nature. People are inherently predisposed to procrastination, seeking immediate gratification over long-term benefits. In the context of cybersecurity, this manifests as a reluctance to implement necessary security measures despite understanding their importance. 

Addressing this natural tendency requires more than education and awareness, it needs enforcement. Proactivity is critical to improving national security, but cybersecurity is currently seen as an insurance cost. Because the ability to disclaim liability through contract law minimizes the financial impact of security failures, organizations don’t have an incentive to prioritize it. 

Businesses are aware of the threats poor cybersecurity practices pose to our nation’s security; they just need to be more proactive in protecting it. Imposing liability for security breaches can be a powerful motivator for organizations to take action. 

Progress Made, But Policies Remain Lenient 

If you were to ask business leaders which factors have impacted their organization’s software security most in recent years, cyber regulation would be the top response. As threats to our national security persist, the U.S. government has been stepping up its focus on national security efforts with executive orders, government-issued mandates and regulatory guidelines. But, the current policy landscape is still too lenient to drive significant change. 

Take CISA’s Secure-by-Design pledge for example. While the voluntary pledge aims to build on existing software security best practices, it stops short of translating requirements into meaningful action. The pledge centers around participants vowing to make a “good-faith effort” towards the goals CISA outlined, such as demonstrating steps taken to measurably increase the installation of security patches by customers within one year of taking the pledge, but there is no repercussion for failing to meet them. 

This and similar initiatives currently in place to address poor software security are a step in the right direction, but it’s clear that more stringent enforcement mechanisms are required to drive real change. Even more recently, the Department of Justice used a Civil War-era law known as the False Claims Act to go after tech companies that have misrepresented their security guarantees for products licensed by the U.S. government. This is a start, but we need a lot more of it. 

Existing regulations guiding the industry today can be leveraged to help drive the right cybersecurity hygiene behaviors. Regulations help establish a framework, provide guidelines and set minimum standards for cybersecurity practices. Now, we need to transition from aspirational principles to a system that compels software developers to embed security into the very DNA of their products. 

The Rise of SBOMs

To galvanize practitioners, policymakers can design interventions that make secure practices the default option. For one, mandating periodic security audits and vulnerability disclosures or offering economic incentives, such as tax breaks for companies that invest in robust cybersecurity measures, can motivate organizations to prioritize security. On the other hand, imposing fines and sanctions for non-compliance can create a financial disincentive for procrastination that compels companies to act swiftly. 

One resource that can help organizations remain compliant with ever-evolving regulations is the software bill of materials – commonly called an SBOM. As detailed inventories of all software components within an application, SBOMs are indispensable tools for meeting compliance requirements. 

With current and impending regulations, such as PCI 4.0 and the Cyber Resilience Act, there is a growing demand for organizations to maintain detailed and accessible software inventories. By ensuring that all software components are used in accordance with their respective licenses and verifying the integrity and security of their software supply chain, SBOMs provide the transparency and visibility needed to meet various compliance and regulatory standards. 

In fact, SBOMs and regulations are already more intertwined than most realize; SBOM adoption is growing across enterprises since the introduction of Executive Order 14028. While this is a significant step in the right direction, the next wave of this evolution must be an SBOM requirement for all software vendors. After all, we wouldn’t buy a vehicle from a car manufacturer that doesn’t have a manufacturing bill of materials – why should buying software be any different? 

Just as the NHTSA holds automakers responsible for safety flaws and the FDA holds food manufacturers accountable to safety standards, software manufacturers need to be held to the same expectation. Repercussions motivate organizations to take a proactive security approach to software development and regulatory bodies should play a crucial role in enforcement. 

The SolarWinds incident is an example of just how influential government agencies can be. In 2023, the SEC charged SolarWinds and its former CISO with fraud and internal control failures related to the 2020 breach that impacted thousands of organizations across the globe. It was the first time the agency had brought charges against an organization’s CISO in connection with a cybersecurity attack, signaling a shift in the consequences of negligent cybersecurity practices. 

We cannot accept cybersecurity incidents as inevitable. While breaches will never be completely eradicated, there must be significant penalties for poor cybersecurity posture. Securing our critical infrastructure should not be chalked up to an insurance cost, but instead, something organizations prioritize above all else and are held accountable for protecting. Change for the good of the public, when the risk is clearly known, requires legislation to improve public safety. By enforcing software security standards and levying consequences for non-compliance, we can invoke action that makes a difference.  

A successful nation-state attack against the software supply chain will have devastating and far-reaching repercussions, beyond the organization that has been targeted initially. If we don’t take the growing threat to our national security seriously, it won’t be a question of if threat actors achieve their goal, but when.