As the federal government continues to recover from the epidemic, two powerful but opposing trends—zero trust and open source—are having an impact on its information technology strategy. The adoption of zero trust may be the most noticeable of these trends, in part because of the White House’s 2021 Executive Order on Improving the Nation’s Cybersecurity. However, experts worry that the increased acceptance of open source software could undermine any gains in cybersecurity.
80% of the more than 6,800 government software projects listed on Code.gov are open source, according to the 2020 Federal Source Code Study, enabling developers to innovate quickly, reduce deployment costs, and offer additional vendor options.
The open source movement’s crowdsourced innovation model may enhance cybersecurity, but attackers may be able to sneakily insert malware due to the source code’s transparency. The difficulties that the software applications face from potential breaches were highlighted in a 2020 research paper titled the “Backstabber’s Knife Collection,” which described 174 malicious software packages “used in real-world attacks on open source software supply chains” between 2015 and 2019.
Although the open source community is skilled at detecting vulnerabilities and swiftly fixing them, the dispersed nature of open source packages means that when an attack takes place, it can propagate quickly before being noticed. Once those open source software applications are compromised, a zero trust architecture finds it challenging to defend against the attack because the malware-infected software has already been identified in the IT environment.
Zero trust also cannot, by itself, recover compromised data in the case of an attack, even while it can assist safeguard lawful sources of access and restrict data exposure. Zero Trust is not a single product or a perfect replica of the data; rather, it is an architecture, a design, and a way of thinking.
Agencies need to look beyond conventional zero trust approaches to implement defensive tactics that take into consideration the entire supply chain and a solid data protection plan should a breach occur in order to be ready for the potential effects of assaults on open-source supply chains.
Ensure the safety of the entire software supply chain
Open source software dependence is not anticipated to decrease, particularly in the public sector, where the federal government continues to value innovation. That means IT managers must combine cybersecurity efforts against potential software supply chain threats in addition to zero trust protections. This could entail actions like requiring a software bill of materials (SBOM) to give IT staff information on a software product’s components. Strong cyber hygiene from IT managers is also necessary, including regular patching and updating of software components throughout the company to guard against any vulnerabilities.
Protect your data
IT administrators need to make sure their data is secure in order to stave against an assault that may have already happened. The attack itself was initially believed to be ransomware installed in a legitimate software update that only prevented customers from accessing their data, as we learned with NotPetya, a strain of malware first uncovered in a 2017 attack on Ukraine. In the end, it was shown to be a quickly propagating wiper attack that cost $10 billion in damages worldwide and erased all data on victim systems.
Due to the inherent risk posed by these threats, it is crucial for businesses to develop a data backup strategy that can be applied to all workloads that are mission-critical and is dependable, tested, and confirmed.
This entails adopting precautions such as making sure that a backup’s integrity can be verified from the moment it is created and that it can be rapidly recovered in the case of such an assault. Backups must also be resistant to assault, whether through the use of end-to-end encryption, fortified repositories, removable storage, end-to-end protection, or ransomware removal tools.
Vulnerabilities may be difficult to find if the software supply chain is not fully transparent. While attempts to safeguard the software supply chain are underway, the most thorough form of security is to have a broad data protection policy that covers on-prem, in the cloud, and other software-based systems as a vital failsafe.
Zero trust is still a crucial tactic for thwarting future cyberattacks, but it should only be used as one of several against more capable foes. It is essential that the government have a solid data protection policy as its cornerstone in order to help ensure that it is resilient in the face of such threats.