Two and a quarter years after President Biden signed an Executive Order (EO) to harden the US’ cyber security defences in the wake of high-profile attacks on SolarWinds, Microsoft Exchange and Colonial Pipeline, research produced by Sonatype has revealed that the mandate to improve software supply chain security has spurred action on this side of the Atlantic as well.
Sonatype polled security leaders at organisations in both the UK and US, and found that 76% of enterprises have adopted a software bill of materials (SBOM), up from a paltry 4% prior to the signing of the EO, and another 16% plan to do so in the next 12 months, across both countries.
The findings also revealed that SBOMs are becoming a key procurement requirement, with 60% of respondents now making it a contractual condition that suppliers they work with maintain an SBOM, and 37% planning to mandate this in the future.
Crucially, among UK respondents who had adopted new SBOM policies, a significant 44% said they did so in direct response to Biden’s Executive Order, a clear sign that UK IT leaders are keen to keep on top of US regulations to help their organisations operate effectively in the UK’s largest trading partner – the US received 20.6% of UK exports in 2022.
“We’ve been highlighting for years the value of better visibility into the software supply chain,” said Wayne Jackson, CEO at Sonatype. “Governments worldwide have to play their part in holding vendors accountable, and we’re finally seeing that come to fruition with rising SBOM adoption as a result of regulatory pressures.
“But we need to see international governments and businesses on the same page for policy to avoid a messy patchwork of disaggregated regulations that all tackle cyber resilience in different ways. It could otherwise stifle innovation in really crucial areas of software development like the open source ecosystem. Active communication between the private and public sector will go a long way to avoid that.”
Sonatype co-founder and CTO Brian Fox additionally observed that while it was pleasing to see SBOMs being more widely adopted, the flipside of the story was that if 76% of organisations have done so, 24% have not.
“It echoes our research findings last year showing many organisations are a lot farther behind on software supply chain management than they think they are,” said Fox.
“SBOMs are just ‘step one’ to cyber resilience – there’s a whole lot more that comes after that list of ingredients if you want to achieve good software hygiene, like investing in tools for software composition analysis. If you’re not at that first step yet, you’re going to fall behind.”
Regulation highly favoured
UK respondents also expressed more confidence that that government regulation was moving the needle on cyber security in general, with the percentages who believed that US-originated directives such as Biden’s Executive Order, the Securing Open Source Software Act, the CISA Secure by Design Guidelines and the NIST Software Security in Supply Chains regulations were effective for improving cyber security outpacing the percentage of Americans who thought the same.
The Brits were also more in favour of GDPR and the EU Cyber Resilience Act, although this is perhaps less surprising.
Asked which of the same set of regulations was most effective in improving cyber security, there was clear support for all, but UK respondents tended to prefer the CISA guidelines over US respondents, who were much more inclined to prefer the NIST regulations.
The report’s authors suggested this may have more than a little to do with the involvement of the UK’s National Cyber Security Centre (NCSC) in the CISA project. Nevertheless, they said, “this highlights the positive impact these regulations have had and perfectly highlights how US regulation holds significant sway over UK cyber security policy”.
Significantly, the report also found that Brits tended to feel less positive about the software supply chain regulation and guidance available in the UK – 68% compared to 84% of US respondents, who felt positive about what was on offer in the US. Sonatype suggested this may have something to do with the fact that the US has clearly introduced more guidance already – in the UK, things have not moved much beyond the consultation stage.
The report’s authors added that this shows there is a huge appetite for effective – or any – regulation in the UK.
Too many cooks?
Spnatype’s research additionally highlighted a trend in the US for security leaders to feel there was a little too much regulation in play.
This was further highlighted at a recent event called SBOM-a-rama, which was hosted by CISA in the US, where attendees agreed there had been incremental process on SBOMs, but there was still a long way to go to establish truly effective guidance.
An issue cited by many was confusion over standards and regulations that were in conflict with one another, and multiple instances of overlap in the CISA and NIST guidelines and in those issued by other non-governmental organisations, such as the Internet Engineering Task Force.
According to Computer Weekly’s sister title, TechTarget IT Operations, which interviewed SBOM-a-rama attendees, some organisations were starting to wonder what would happen if they simply didn’t bother complying.
“A common question that I’ve been hearing a lot [from clients] is, ‘Well, what if we just don’t comply and we accept that risk?’ and, ‘Is there anything that’s actually going to happen?’,” said one conference-goer who identified themselves as working for Deloitte, a member of the Big Four group of regulated accounting firms.