Could SBOMs save lives? SecOps in critical infrastructure

It's a doomsday scenario: A nation-state threat group gains persistent access to IT systems that run critical infrastructure in the U.S., such as the water supply and hospitals, then threatens to disrupt that infrastructure if U.S. foreign policy interferes with their own.

It isn't just a nightmare for Joshua Corman and other cybersecurity experts that work with the federal government. As of this year, it became a reality in the form of the Volt Typhoon campaign by the Chinese government. That threat was detected and removed from network infrastructure, including routers, through an operation led by the Department of Justice and made public in January. But it constituted a warning shot from China to the U.S. not to interfere in its operations against Taiwan.

Joshua Corman

For Corman, co-author of The Rugged Manifesto in 2010 and a longtime advocate of software bill of materials (SBOMs) for software supply chain security in federal government, it was also a wakeup call.

"The general public is unaware that we have such exposure to accidents and adversaries currently, and I don't think it's comforting that we persist at the will of our adversaries, and whether it's China or someone else," he said during an interview with TechTarget Editorial's Beth Pariseau on the IT Ops Query Season 2: The State of SecOps podcast. "We live in glass houses, and people are about to start throwing rocks. If there is a war, it will be a hybrid conflict, and many of our adversaries have demonstrated they are both willing and able to disrupt critical infrastructure."

In response, Corman is leading a pilot project funded through the Institute for Security and Technology, a nonprofit think tank based in the San Francisco Bay Area where he is executive in residence for public safety and resilience. The project, named UnDisruptable27, is focused on cybersecurity threats at the nexus of water supply and healthcare accessibility, where China remains a credible threat. The 27 in the name stands for 2027, which is when U.S. officials believe China could move against Taiwan.

Attacks from other hostile foreign powers, such as Russia or Iran, could come sooner. But there's a "high batting average for things stated by this particular country's leadership in public policy, in the open, and them following through," Corman said.

Corman also expressed frustration with what he sees as excuses made by private-sector vendors to avoid transparency about what's in their software. With a lack of understanding what vulnerable open source components might exist in the software that runs their facilities as well as a lack of funds and staffing to implement better cybersecurity, the safest plan for some critical infrastructure operators might be to "go analog" and disconnect digital systems altogether, he said.

"No matter what, we should probably do crisis simulations. Ask the hospital, 'How long can you go without water?' or, 'What can we do to prioritize water to the hospital?'" Corman said. "Or ask the community to have a few days or weeks of water on hand, or LifeStraws, so they are less dependent on the recovery from the town."

Meanwhile, at a higher level, Corman is considering "making examples out of the worst offenders that have endangered public safety, economic and national security" among software vendors. He didn't say what exactly those plans entail or which vendors he has in mind.

"We've looked the other way on preventable flaws in our digital infrastructure," he said. "And when I say 'Time's up,' [and] SBOM is coming … I'm turning the page. I'm turning the chapter. And several of us are going to be driving much harder at liability, at accountability."

Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.