Software Supply Chain Attacks: An Illustrated Typological Review
Due to their heightened relevance in the current security discourse, their potential destructive and strategic effects, and their increased use by malicious actors (state-linked and criminal), software supply chain attacks are the focus of this CSS Cyberdefense Report by Sean Cordey. The overarching aim of this report is to provide an illustrative overview of software supply chain attacks and to raise awareness of the types of attacks, their uses, and their potential impacts.
Most elements constituting modern life, from the economy to social habits, are now characterized by using digital technologies and the consumption of goods and services that depend on complex, interconnected, transnational, and, at times, vulnerable, supply chains. Critical dependencies and heightened (cyber) threats combined with strategic competitiveness are increasingly turning the issue of supply chain security into matters of national and international security.
Located at the intersection of supply chains and cyber are the topics of software supply chains attacks and broader mitigation and protection elements that fall under the term cyber supply chain risk management. Due to their heightened relevance in the current security discourse, their potential destructive and strategic effects, and their increased use by malicious actors (state-linked and criminal), software supply chain attacks are the focus of this CSS Cyberdefense Report. The overarching aim of this report is to provide an illustrative overview of software supply chain attacks and to raise awareness of the types of attacks, their uses, and their potential impacts.
The report begins with a terminology analysis, which also explains the main properties underpinning the concepts of supply chains, software supply chains, and software supply chain attacks. Next, the report focuses on reviewing the different threat frameworks that address and describe SSCAs. This includes detailing the diverse set of actors, impacts, and assets involved in SSCAs. The section also illustrates the large variety of threat vectors and techniques that can be used across a software’s lifecycle to conduct an SSCA. The report then describes the underlying assumptions, enabling factors, and trends behind SSCAs. More precisely, it includes an overview of the professed operational advantages of SSCAs, the messy software ecosystem making SSCAs viable and hard to detect, and the changes in adversarial behavior to leverage SSCAs. The final section explores the larger spectrum and implications behind software supply chain attacks, including edge-cases and falsely classified SSCAs. The report concludes with a final sub-section that looks at the potential policy and practical implications of precisely differentiating, classifying, and characterizing certain types of cyberattacks.