On February 17, 2021, a remarkable White House press briefing addressed possible executive action in the wake of the SolarWinds attack, the most systematic hack of the U.S. government in history.
In mid-February, the United States White House held a press briefing and announced possible executive action in response to a recent attack against some critical US agencies, including the US Department of Commerce and the US Department of Justice. The recent hack, referred to as the SolarWinds attack, has been referred to as “…the largest and most sophisticated attack the world has ever seen.”, according to Microsoft’s President Brad Smith.
The attack is named for the software tools provided by SolarWinds, a major software company with many thousands of customers. The attack on SolarWinds is commonly referred to as a supply chain attack, because the hackers attacked a third-party provider to gain access rather than attacking the targeted organization’s networks directly. For example, third-party software components being utilized in various systems and products are a prime attack target for hackers, given the difficulty in identifying the third-party components utilized in a specific system or product. This opaqueness prevents management of vulnerabilities, because you can’t protect what you don’t know about.
The Software Bill of Materials (SBOM) is ready to pull back that curtain and provide transparency into the third-party components and associated vulnerabilities. By providing an SBOM, which is a list of all third-party software running in a system or product, the manufacturer is providing much-needed transparency to their customers and end users.
A great place to start utilizing the SBOM is in healthcare. Today, the Healthcare industry is a prime target for hackers, partially because they utilize many millions of network-connected medical devices, and they are very slow at detecting malicious activity on their networks. One of the major reasons for their inability to respond quickly is the lack of visibility or transparency into those deployed medical devices. This is because medical device manufacturers are not currently required to provide SBOMs to their customers. And remember, you can’t protect what you don’t know about.
This might all be changing soon. The US Food and Drug Administration (USFDA) will finalize their Content of Premarket Submissions for Management of Cybersecurity in Medical Devices this year. The guidance recommends that SBOMs accompany manufactured medical devices, along with various levels of vulnerability monitoring. The SBOM is a much-needed security document, and the requirement to include can’t come too soon. Medical device manufacturers should consider the logistical details of generating and continuously monitoring SBOMs for their products. Putting processes and policies in place today will enable a more agile response when customers and regulatory agencies begin demanding SBOMs, and prospects refuse to consider products without SBOMs. Of course, savvy customers aren’t waiting for FDA to finalize the guidance, so maybe you should think about putting those SBOM processes and policies in place yesterday.