The “2024 Supply Chain Security Workshop” was held on July 11, where experts discussed the new “Software Supply Chain Security Guidelines 1.0,” announced on May 13. The experts emphasized the importance of the guidelines and agreed that industry-specific legislation should be implemented.
The “Software Supply Chain Security Guidelines 1.0” is a set of standards developed by a joint project involving the National Intelligence Service (NIS), the Ministry of Science and ICT (MSIT), and the Presidential Committee on the Digital Platform Government (DPG). These guidelines are the first in South Korea to introduce the Software Bill of Materials (SBOM) method, which lists all components and sources of software to track vulnerabilities. The guidelines outline how software developers, suppliers, and management companies should create and manage SBOMs.
While the significance of these guidelines is clear, experts assert that the next step is to formulate regulations for industries regarding SBOMs. A representative from the National Security Research Institute (NSR) told The Readable that the guidelines serve as a foundation for implementing SBOMs. The expert noted that additional efforts are needed for SBOMs to be integrated into existing industries. According to Allan Friedman, Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency (CISA), it will take time for industries to be fully prepared for the implementation of SBOMs. With these initiatives underway, experts plan to continue demonstration projects this year to verify and test this new approach.
Lee Dong-hwa, manager of the Korea Internet and Security Agency (KISA) Software Supply Chain Safety Policy Team, also stated that based on the guidelines, regulations should be made further on. Lee told The Readable that the “Software supply chain security guidelines 1.0” include fundamental components for implementing SBOMs, including raising awareness. Similarly, the “3 supply chain laws” were enacted by January this year, including the “Framework act on supply chain stability support for economic stability”, which states software as an economic security item. Now, policies on specific industries such as health care, national defense, and manufacturing are to be made.
SBOMs have become increasingly important as supply chain attacks have risen in recent years. As it becomes more challenging to directly target large companies or agencies, hackers are focusing on the vulnerabilities of the developer or supplier companies that provide software. The growing use of open-source code complicates the detection of software vulnerabilities, highlighting the need for SBOMs. The United States mandated SBOMs through an executive order in May 2021, while the European Union approved the Cyber Resilience Act in March.
Related article: South Korea, UK warn of North Korea’s hacking attacks after signing new cyber agreement
Intelligence agencies in South Korea and the United Kingdom issued a joint cybersecurity advisory on Thursday, disclosing hacking techniques adopted by North Korea’s state-sponsored hacking groups.
On November 23, South Korea’s National Intelligence Service (NIS) and the U.K.’s Government Communications Headquarters (GCHQ) jointly published a threat report revealing that North Korea conducted a series of supply chain attacks, targeting popular software.
A supply chain attack is an attempt to break the weakest link in a software chain—in other words, the numerous components made by third-party vendors that constitute the software—through hacking. Once such an attack has succeeded, its impact can be very severe. Specifically, it opens a door that allows threat actors to leverage compromised software in order to use it as a steppingstone to cause further damage or execute future attacks.
In the advisory, the spy agencies referred to two examples: the authentication application MagicLine4NX and the remote communication software 3CX. MagicLine4NX is used by the vast majority of citizens in South Korea while 3CX has 600,000 customers globally. Threat actors exploited vulnerabilities in MagicLine4NX to penetrate South Korean institutions. Moreover, the same actors secretly inserted malicious code into 3CX’s desktop application to steal data from their targets’ web browsers. READ MORE
