The software war: a quieter threat to Australia’s national security
18 Sep 2024|

Australia is waging a quiet yet critical battle on a new front—its software supply chains.

Attacks on this battleground infiltrate deep within the software development lifecycle, exploiting vulnerabilities in third-party components or open-source software. But unlike other kinds of attacks, the fallout easily extends beyond businesses to essential systems that can underpin our nation’s economy and security.

Recent high-profile breaches, like the Sisense and Okta attacks, show just how dangerous supply chain vulnerabilities can be. The approach is uncomfortably simple: embedding malware into software updates of trusted vendors that are then distributed across their customer network. Organisations, in effect, deliver the attacks to themselves. Once these updates are deployed, both to private sector companies contracted by government, as well as agencies themselves, they can silently undermine entire systems without any immediate signs of a breach.

What makes these attacks so dangerous is how stealthy they can be, sometimes remaining undetected for months or even years. So, when attackers finally act, they’ve already spread so far and into so many different organisations that no one is immune. What’s more, if we consider the possibility that they’re nation-state backed, there’s every chance that essential services Australians rely on every day can be disrupted. From energy grids to healthcare systems, even our national defences are placed at risk.

Australia’s vulnerability to software supply chain attacks is a growing concern at the highest levels of government. Even more so as technology becomes more ingrained in critical infrastructure. Former Australian Home Affairs minister, Clare O’Neil, even described cyber as ‘the fastest changing national security threat that our country faces’. The Office of the Australian Information Commissioner recent data breach report also highlights growing concerns over supply chain risks and breaches, revealing a significant number of multi-party incidents.

What this means is a breach in one software provider can ripple across multiple industries and government agencies. If a supply chain attack were to compromise software supporting key services, like healthcare or communications, the impact could be catastrophic. The Optus and Medibank incidents show just how vulnerable Australia’s systems are.

Software supply chains are as complex and interconnected as the highways that support our essential services. Just as road networks have multiple entry points, software ecosystems have countless side entrances—third-party components, open-source libraries and external vendors that can introduce vulnerabilities. For governments, securing these entry points is not just an IT challenge; it is a national security imperative. Tackling these daunting challenges demands defence from three distinct directions: education, continuous scanning and establishing trusted frameworks.

Government bodies, like other major organisations, must ensure that those managing the software supply chain, from developers to IT administrators, understand the risks. Clear guidelines are essential for sourcing software components, especially open-source code, and knowing under what conditions they should be used. Following the principle of trust but verify, public sector entities must rigorously vet any third-party code before it is deployed in critical systems, especially those underpinning essential services.

Open-source communities, in particular, benefit from this. Many solutions used in software supply chains come from open-source projects, and raising awareness about supply chain risks within these communities can help in safeguarding critical software infrastructure.

Continuous scanning also plays a huge role in identifying and addressing vulnerabilities across every layer of the software supply chain, from development systems to production environments. Automated tools can scan for known common vulnerabilities and exposures and flag issues before attackers can exploit them. It’s essential to scan not just the software itself but also the infrastructure and libraries that support it, a leave-no-stone-unturned defence posture. For government departments managing sensitive data and critical infrastructure, this level of attention should always be non-negotiable.

Finally, trust. To ensure software integrity, organisations should strongly consider adopting trusted frameworks and certifications that can guarantee a high level of care in the development, maintenance and distribution of software, well-known ones include the Cybersecurity Framework developed by the US National Institute of Standards and Technology and the Supply-chain levels for software artifacts, a Google-developed framework, each setting rigorous security standards.

As the digital economy grows and Australia becomes increasingly dependent on critical infrastructure powered by broad software ecosystems, the stakes will only rise. IDC, a market intelligence firm, found that in 2024, with the frequency of cyberattacks increasing, Australia contributed over 25 percent of security spending, alongside India, across all the Asia Pacific, excluding Japan. But, without a concerted focus on securing software supply chains, even these investments might fall short of protecting our country’s digital assets.

Author

Peter Lees is Head of Solution Architecture for Asia Pacific at open-source software company SUSE. He is based in Sydney.

 

Image: Craig Taylor/Flickr.

Tags
Share

The Strategist — The Australian Strategic Policy Institute Blog. Copyright © 2024