This post is part of our 2023 cybersecurity prediction series.
Brian Fox, CTO at Sonatype
What do you predict will happen to the rate of attacks on software supply chains?
Year after year, our reports show developers continue to download hundreds of millions of vulnerable coding components from open-source repositories, resulting in supply chain attacks across government, financial, and business institutions. I have no doubt these challenges will continue to proliferate for years to come because developers – even with the best intentions – cannot see everything that is their software. It’s impossible to protect software from vulnerabilities that go undetected. Not to mention, we’ll likely see an increase in hybrid attacks on the software supply chain, which include malware and phishing attacks, especially across the healthcare, financial, and political sectors – as those are the trends we’ve seen in the news.
In the past year, we’ve continued to see cyber attacks cross borders. What does this mean for the future of the international open-source community?
As we’re faced with new macroeconomic issues, such as continued financial instability and geopolitical tensions, the impact on the cyber landscape is quickly evolving. Add in the fact that hackers are getting more creative – looking at the recent case studies of Chinese and Iranian hackers getting into classified U.S. government information –- it’s likely we’ll continue to see these state-backed hackings continue to increase in the next year. On a positive note, with this increased globalization, we’re also likely to see much collaboration and innovation coming out of the international open-source community. What used to be a predominantly Western-based community is now being used across the entire globe and allows for greater insight and collaboration in the software supply chain.
Will we see increased regulation to tackle cyber threats?
In short, yes. What we witnessed towards the end of 2020 and spilling over to 2021 was a concerted focus by the Biden administration to put more safeguards in place to protect the private and public vendors they work with. The Executive Order from last year was a catalyst for increased conversations and heightened regulations to improve the nation's cybersecurity moving forward. However, the wheels of government move slowly, so it will be several years until we see the impact and adoption of new cybersecurity standards within organizations. Government regulations tend to blanket everything, so I predict we will see the developer industry slowly implement regulations that meet both their standards and the government so as to avoid any overreach from the latter group.
What new threats will emerge in the new year, if any?
Bad actors will always take the path of least resistance. The malicious attacks we’ve seen lately have been low in sophistication, mirroring consumption behaviors. We’ll continue to see direct contribution attacks into source code because it’s easy and it’s working. There needs to be a more holistic understanding of software supply chain hygiene, and how open-source consumption plays a direct role in that.