For some time now, there has been talk at the industry and regulatory levels about the need to make the supply chain more secure. After all, there is so much important data to safeguard, and all that talk hasn't resulted in as much action as is truly needed to get the sector to where it wants (or really, needs) to be.
As early as 2005, the U.S. government was sounding the alarm on potential security risks in the supply chain, according to the Federal News Network. And more recently, a hacking attack on the industry known as SolarWinds only serves to underscore how little has been done since the initial concerns were highlighted, and experts are increasingly asking, "What will actually be done about this — and when? The good news is that progress — or at least, progress toward progress — is finally being made: Federal Acquisition Security Council was created in 2018 and is still ramping up its capacity to tackle the issues that are now in such dire need of attention, the report said. At the same time, there are seven different federal agencies that have some overlapping authority of the public-sector supply chain, and they are still working to align how they will address similar threats given the need for inter-agency oversight.
The scope of the problem
Part of the issue for regulators and industry experts alike is that this is a big problem to get their arms around, according to TechBeacon. Industry estimates show that developers sought 1.5 trillion components and containers that utilize open-source software, and that kind of software is increasingly targeted by hackers — likely due to both the ubiquity of its use and the fact that the code is publicly available, thus easier to crack.
Indeed, there is seemingly a growing consensus about what the problem is, and that's an important first step toward addressing it, the report said. However, some of the best ways for companies to better protect themselves from such threats is really more in their hands; industry leaders and government regulations can't force companies to keep better tabs on connected components or keep their software updated to the latest versions, but there are certainly steps they can take at the highest levels.
The current situation
With all of that in mind, it's not as though the state of supply chain security is a more anarchic version of the Wild West: there are rules and regulations governing all kinds of issues under that umbrella, according to CSO Online. Consequently, companies would always be wise to assess their strengths and weaknesses when it comes to security and move to address any shortcomings so that they are in line with local, state or federal rules, at a bare minimum.
Indeed, the more companies can do to get a better understanding of their own vulnerabilities, whether those are in-house or exist due to supply chain partnerships, the better off they will be going forward. While there are certainly some things that remain out of their control in all this, a stronger security posture is a must.