Securing the Nation’s Software Supply Chain

A model for the secure deployment of open-source and proprietary software.

On August 25th, President Biden met with industry leaders to discuss our increasingly vulnerable supply chain. From firmware to software, including open-source, the attack vectors are vast and it affects every business, government, and citizen.

The bad news is we are playing catch-up. This past year we have seen several unprecedented attacks on our infrastructure including the Microsoft Exchange server attacks, the Kaseya ransomware attack, and the SolarWinds breach. Our traditional methods of cybersecurity are failing and we must act quickly to secure our systems.

The good news is, business leaders and governments are becoming increasingly aware of the severity of the threat to our infrastructures. The Biden administration has already taken several steps to address cybersecurity issues including issuing an Executive Order this past May that called for “...modernizing Federal Government defenses and improving the security of technology to secure our critical infrastructure.” The administration also issued a National Security Memorandum that “...establishes voluntary cybersecurity goals that outline expectations for owners and operators of critical infrastructure.”

One of the initiatives discussed at the August 25th meeting was the creation of a new framework to improve the security and integrity of technology supply chains. The National Institute of Standards and Technology (NIST) will use its existing Cybersecurity Framework (CSF) and collaborate with industry and other partners to develop the new framework.

The framework will focus on both software and firmware supply chains and outline how public and private businesses can assess risks and build more secure technology, including open-source software.

Padraic O’Reilly, Pentagon advisor and cofounder of CyberSaint told FedScoop that, “Open-source vulnerabilities, just in general, are pretty huge, and a lot of the software providers out there use open sources like components.”

Companies such as Microsoft, Google, IBM, Travelers, and Coalition have already committed to participate in the NIST-led initiative. These industry giants already serve as the backbone of our infrastructure so one would think they are well-positioned to craft a working framework. However, the question that must be asked is, “If these companies, who already run our infrastructures are unable to secure them now, how will a framework built by them be effective?”

When asked for comment about the initiative, Malcolm Harkins, chief security officer of Epiphany Systems told FedScoop that he “...worries the weight big players like Microsoft and Google have in the compute environment might introduce bias into the overall supply chain approach and hopes NIST reaches out to small and midsize businesses like Epiphany.” He goes on to say, “Those businesses are often more innovative because they’re less risk-averse and less worried about profit loss.” Dragonchain could not agree more.

The Dragonchain Software Delivery Model

Dragonchain has developed an advanced protocol for the secure delivery of general software releases and artifacts. The protocol leverages advanced features of the Dragonchain hybrid blockchain to provide decentralized timestamping with measurable proof, wherein the user can independently verify that the software is verified and uncorrupted. Every participant or team responsible for the approval of a portion of a software release must cryptographically sign the release artifacts to allow the software to be rolled out or deployed by the end-user (i.e. business or consumer). The device or deployer themselves can verify the authenticity of the signing history using Dragonchain technology and detect attacks or maliciously compromised software.

For example, a connected device such as a WiFi-enabled toy can know not to load the required software unless all of the required people and teams in the product’s supply chain have cryptographically signed each event.

In a “man-in-the-middle” attack, a nefarious actor would not be able to falsify the blockchain data to attack the device or network. The device firmware would be able to recognize that the identity and other data is falsified and not use firmware or other data from that source.

Quantum-Safe Security

Government agencies contracting with external agencies provide valuable services involving infrastructure, national defense, public health, and disaster response. Agencies such as the Federal Emergency Management Agency (FEMA), Department of Health and Human Services (HHS), Department of Defense (DoD), Federal Aviation Administration (FAA), Food and Drug Administration (FDA), Centers for Disease Control and Prevention (CDC), Department of, Homeland Security (DHS) employ complex and, at times sensitive, supply chains that pass through other countries, state and local agencies, and third-party providers.

The model allows for an advanced level of quantum-safe encryption and signing capabilities integrated directly at the core of the platform to address vulnerabilities at hand and in the future, especially for mission-critical and national security systems.

Secure Firmware Deployments

This technology will be needed soon for firmware delivery, and become increasingly important as more consumer IoT devices are used in people’s homes. The number of internet of things (IoT) connected devices worldwide is expected to be 38.6 billion by 2025. Without a secure and standard approach, there will be major escalations in attacks, with potential national security implications.

IoT and Sensors Security

Statista reported that the average US household had, on average, 10 connected devices in 2020, and the global smart home market is projected to exceed $53 billion (US dollars) by 2022. The model can also be applied to small or embedded device systems for firmware or software updates. The systems can independently verify the authenticity of the delivered software or even run a blockchain node locally. For instance, a connected vehicle could run a node in the car. In 2018 International Data Corporation estimated that by 2023 worldwide shipments of internet-connected cars will reach nearly 76 million units.

Secure Open Source Software

Dragonchain employs a more comprehensive protocol for the tracking, governance, and management of open-source software projects, with the ability to secure releases and deployments.

Current open-source software best practices include posting a hash of the delivery for proof. However, nefarious actors can get in and tamper with the hash or add their own. Our model can allow open-source software projects a standard and simple way to track and secure their entire delivery process using decentralized proof of authenticity and history. This will allow end-users to appropriately verify that the software they are integrating or deploying is authentic and not tampered with.

Secure Proprietary Software

The Dragonchain Software Delivery model can also be applied to a proprietary software release system. Dragonchain’s unique hybrid architecture does not expose any business data unless explicitly permissioned to do so. Proprietary information can be retained and kept private at the source with only the required information going to each specific department. The proof that each department has signed off on the release would be available for authentication and recognized by firmware for use.

Behavior System Technology

The Dragonchain Software Delivery model also allows the implementer to integrate advanced behavior systems technology to combat organizational and team inefficiencies and improve data integrity. We have employed this technology to great effect in several systems, including The Walt Disney Company.

An organization can apply Behavior Systems technology to improve process security and inefficiencies. The technology is pivotal in motivating employees and partners to follow any number of processes to work towards a common goal such as regulatory compliance or sustainability goals.

Time To Market

There is some concern that the White House’s timeline for laying out a framework and integration is unrealistic. Dragonchain is certain that our software delivery model can be implemented in a reasonably short time frame as the underlying platform which provides most of the necessary complex integrations is already operational. Implementation can start with lightweight integrations of data points, for near-immediate value. Based upon past implementations we estimate that roll-out of this model for a typical Enterprise would take no more than 6 months.

The Dragonchain Software Delivery model can ensure the secure deployment of open-source and proprietary software. Contact us today to get started.