Robert Martin of MITRE on Supply Chain System of Trust
MITRE, the non-profit corporation, has been instrumental in developing systems to help with issues related to software assurance. That includes the development of CVEs (Common Vulnerabilities and Exposures) and CWEs (Common Weakness Enumeration) not to mention the ATT&CK taxonomy of adversarial methods.
Now MITRE is taking things further and “stepping up into the organization” to focus on supply chain risk, according to Robert Martin, a Senior Principal Engineer at MITRE. COVID has highlighted supply chain risks - whether its availability, counterfeit products or - of course - cyber risk, he said. But solving supply chain problems is not simply a job for the IT group, but something that needs to be driven from the very top echelons of an organization.
His organization published a framework in early 2021 called the System of Trust (sot.mitre.org), which provides a framework for supply chain security risk assessments that is customizable, evidence-based, scalable and repeatable. Once implemented, the SoT will give organizations within the supply chain confidence in each other as well as different service offerings and supplies.
Martin sat down with ConversingLabs host Paul Roberts on the sidelines of the RSA Conference in early June.
In this conversation, he talks about how the software supply chain is highly complicated, due to an increasing number of things in society becoming cyber-enabled.
Martin explained how software is not written neatly end to end, but rather is built with drivers, dependencies, and frameworks that give the supply chain depth and magnitude. If software practitioners are not given visibility into this complicated picture, they will miss the software supply chain risks that pose a threat to their organizations.The SoT’s goal is to promote transparency, allowing developers to see all of the players in the supply chain.
EPISODE TRANSCRIPT
PAUL ROBERTS
Okay, so we're here with a special kind of RSA edition Cafe edition of our Conversing Labs podcast. And with us we have Robert Martin from MITRE. Robert, welcome.
ROBERT MARTIN
Thank you.
PAUL ROBERTS
Great to see you. And how are you enjoying RSA conference after a couple year hiatus?
ROBERT MARTIN
Yeah, 27 months, I guess, since we were here. That's a common refrain from many of the people I'm reconnecting with, but it's really good. A lot of people here, a lot of good discussions and good interactions going on.
PAUL ROBERTS
I'm glad. So, Robert, for listeners who aren't familiar with you or your work at MITRE, just introduce yourself and tell the audience a little bit about what you do at MITRE.
ROBERT MARTIN
Okay, well, I am a senior principal software and supply chain assurance engineer. I am in what's called MITRE Labs. MITRE, for those of you that don't know, is a not for profit that runs federally funded research and development centers for many parts of the US. Government. And my role has been in the area of assurance. How do you convey it, how do you capture it? And that really ends up with a lot of engagement with external groups, industry consortiums, and across the government as well.
PAUL ROBERTS
So we're talking to you because you're a speaker at RSA this year, and you gave a presentation based on a paper that MITRE put out that you authored back in early 2021 on what you're calling a sort of System of Trust for supply chain, not just software supply chain, but it includes software, obviously. Talk about that paper and kind of what is behind it, because obviously there's a lot of work and from MITRE's standpoint, years of work on this, behind this idea of a system of trust.
ROBERT MARTIN
Right, and so there's actually been four papers, and now there's a public website, actually, so there's a lot of background information for people: SOT.Mitre.org. But basically this work is, in retrospect, it's the next step on a lot of efforts that have been going on for many years. So if you think about supply chain, there's many elements. There's logistics, there's acquisition, there's organizational risk management. And for more and more of our things coming through the supply chains, it's about the cyber element of those things, whether it's your traditional IT, your mobile devices, or now everything in your building systems, your car. A lot of things now are cyber-enabled. And so that's a new aspect. But our work here, we at MITRE have done a lot of engagements in software assurance in the CVE program for vulnerabilities that are publicly known, CWE, which is the weaknesses that cause those vulnerabilities. So a lot of this is about...
PAUL ROBERTS
Attack taxonomy as well.
ROBERT MARTIN
Yes, all of these are about the conversation between those who create products and those who are using them, about what was done, what is an issue or not. And so this movement into supply chain is really just stepping up into the organization because these issues are not for the technologists this is a business issue and it needs business attention. And unfortunately the COVID pandemic has highlighted that supply chains, whether it's the resilience of them or your susceptibility to poor quality or counterfeits just all these different aspects or even an organization going out of business. So all of these are part of what System of Trust is trying to put as a basic, what is it you should consider when you think about supply chain risks. And a lot of people are either building their own little list of these issues or they're borrowing something from some other project they thought was good. And both are not really going to give you the holistic context you need to start with. Now, I'm not saying everybody needs to look at all these kinds of risks, but you need to look at that overall set to figure out which subset is appropriate for the decision you're trying to make.
PAUL ROBERTS
Got it.
ROBERT MARTIN
And so that's what System of Trust is about.
PAUL ROBERTS
And you mentioned MITRE has been working with organizations including government and intelligence sector, defense contractors, industry around this for decades, really going back to the Cold War. Back then it was more about just making sure your suppliers are trustworthy, that they hadn't been infiltrated, potentially...
ROBERT MARTIN
And the products weren't tampered with.
PAUL ROBERTS
Right. What most of us probably think of as supply chain security. Now we hear a lot about software supply chain. How does software change things? How does it fit into that paradigm? And is it amenable to the same types of controls?
ROBERT MARTIN
Well, I think so. You know, one big part of a lot of supply chain is the transparency. You need to understand who are the players in your supply chain. So you think about any complex microelectronics device. It's got resistors and PCB boards and connectors and it's got a parts explosion that's huge. Well, that's really what we have in software these days. We don't sit down and write software from end to end. We bring in drivers, we bring in libraries, we bring in frameworks, we bring in whole functional parts of it and we invoke services. So these are just the sub assemblies of your software. And what we don't have is the visibility. When you get something from Ikea, you have here's what's in the box and check that you have all of it before you start your assembly. But...
PAUL ROBERTS
Plus an Allen wrench. You get an Allen wrench too?
ROBERT MARTIN
Right, that's true. You need some assembly mechanism, right? Sometimes you get a screwdriver.
PAUL ROBERTS
Sometimes.
ROBERT MARTIN
But in the software world we have never really had that kind of transparency. That's what NTIA and now CISA at DHS are leading the charge on software bills of materials. But that's just one element of how you would want to secure a supply chain. So the second part of my talk here at RSA, where the first was about the system of trust, this holistic way of managing actually focused on software supply chain back to the SolarWinds issues, how SBOMs can bring one element kind of foundational, but then you need to tie those SBOMs to the activities that produce them, the actual vetting or testing or other types of claims that you're going to make about that, and then chain them together so that you know who did it, what did it? What version of the building tool, how was it configured? Where memory safe operations and boats and so on. And these are things that you may be able to figure out after the fact, but they're much easier, much more straightforward if during the process they are captured and conveyed. And so the other thing I talked about was an IETF and Linux Foundation effort called Supply Chain Integrity, Transparency and Trust Skit, which is about distributed confidential ledgers for capturing these different kinds of claims in a permissioned way so that you can pull them out when you need to show them to your customer or show them to auditors. Just kind of unravel a problem that happened and you need to go trace the sources. That's another aspect of all this. And that's one of the things in the Executive Order 14028 came out last year, is it offered that we needed SBOMs if you're going to sell to the government, but it also wanted you to make claims about what you did in building that software. So industry is already on that issue because they need that kind of information of their own suppliers. Because most people are not at the end of a supply chain. They're in the middle. They're both a producer and a consumer.
PAUL ROBERTS
Right.
ROBERT MARTIN
There's a lot of business motivation and that's really a key of what MITRE tries to look at in doing these kinds of standardizations, is where is the motivation? It can't be only the hammer, right? There needs to be a carrot. There needs to be an internal motivation. This simplifies something, this restructures a problem into a more tractable way. I think getting the System of Trust topics, it's really about due diligence. What is the expected way organizations, boards, officers, address supply chain and have their organization implement the appropriate risk management and processings?
PAUL ROBERTS
Yeah, I mean, you liken it to a GAP (Generally Accepted Accounting Principles), which is a kind of standard measure of the financial practices of companies. And you liken it to that. Is that...
ROBERT MARTIN
Yeah, basically GAP is a whole set of things that you can apply and anyone who sets up a finance approach for a project or a company will use that as their starting point, but then tailor it down to what makes sense for that kind of business, those kinds of transactions. In the same way, System of Trust is going to be this broad set of all the different kinds of risks that you may need to address in supply chain, in your services' offerings, in your suppliers, in your supplies. But then you need to go in and identify a subset. We call it a profile. So the things that make sense for your business environment, for your kind of product, your kind of acquisition decision. And then also you can tailor we have a waiting scoring kind of approach in here, so you can go in and tailor the weights. But different people have different risk aversion, risk tolerance, and so different issues are more important or less important. And then the last part of this is you take that profile and step into assessment. And here we're also trying to drive a data driven basis for assessment. So there's a place in System of Trust to record on what basis did you decide that this is the evaluation of this particular risk and then start summing them up? That's really the last thing I wanted to offer up is that when you get a lot of different elements being brought together to make a risk assessment, you're at the peril of a really bad thing getting washed away by lots and lots of okay or good things. Think about a security clearance. If you answer one of the dozens and dozens of pages of questions. Yes, I am a convicted felon. That's a showstopper. Well, many organizations have those kinds of risks. If this one gets triggered, then I want to know it. So we have this mechanism for letting those float up and not get washed away by...
PAUL ROBERTS
Kind of waiting. And is the algorithm that is part of what MITRE has developed. Right. So it's a waiting mechanism?
ROBERT MARTIN
So right now we haven't shared that. We're trying to finish documenting it, making sure it's as robust as we can make it. And then we'll be putting it out on our website for people to look over. And that's another big part of this, is we want feedback. We want organizations to say, well, what about this? Or you forgot about that, or there's a typo on page five, whatever the feedback is. So that's another part of what we're doing out here is engaging companies that have supply chains make sure this makes sense to them, doing the same with our sponsors. But also there's a lot of people who are offering insights for sources of information about your supply chain. And we want to make sure those people can bring their inputs into someone using System of Trust. So I want to map the Exegers, Thompson Reuters, the others, what elements in the System of Trust can they actually bring evidence to so that you can see how you can compose these different offerings to help you answer the questions you care about.
PAUL ROBERTS
It's interesting because you've actually modeled this on a number of actual companies. You don't name them, but you sort of show their scores and it's really interesting to look at what comes out of it. I noted that in the paper you released back in 2021, there was one company that had a much higher kind of risk score than the others. And when you kind of delve into it, what impacted that was two things. One were higher scores, more findings in the sort of IT security, data security access, and then also some stuff on the financial side in terms of the profitability or debt to equity ratio or whatever. And it was interesting that those two things kind of combined in creating this higher score. Talk about kind of what you've seen come out of when you've run this on sample companies, like what things come out of it and what you noticed?
ROBERT MARTIN
Well, the big thing about those early pilots that were in the paper was those were all publicly traded companies. So there's a wealth of information from SEC filings and all right, that you can leverage there. Right. And a lot of the things we showed in that paper were common practice in the financial industry, investments and people this is how they look at these companies and whether they're going to invest in them. So we're just reusing some of that type of information. But if you're actually dealing with small companies that aren't publicly traded, but you have a contractual relationship or you're building one, you can ask for that same data so that you can monitor them with the same measures and the same risk assessments. And so that was one of the things was only part of the picture can be seen in publicly available data. Now things about sanctions and debarments and lawsuits...
PAUL ROBERTS
Right, right.
ROBERT MARTIN
They don't care whether you're publicly traded or private, right. They record all of that. But also System of Trust has things looking at corporate networks. Now if you're trading with somebody, you can ask them a lot of fine grained details. There's also people who will actually look at companies from the outside and see if they can find vulnerable hosts or malware beaconing out of there. So there are a lot of things you can start to understand about somebody's security.
PAUL ROBERTS
Right, and part of this also is we should mention software composition analysis and actually looking at if you're using embedded software within your company or relying on it, or if you're, I guess producing software, there's that piece of it as well that can be part of these overall assessments.
ROBERT MARTIN
Right, and that's a big thing is that when you think about supply chain, especially in the software supply chain, you can have pretty deep visibility and you can also now start asking for SBOMs and ask for some provenance data pedigree data. You may want to ask for claims about what they did in their development activity. All of these were trying to account for in System of Trust. Now, some other organizations may not want to go into those details, but it is an area of risk that you could assess. And that's the whole idea of System of Trust to give that starting point so that we have a more holistic, more common way of stepping into the question about supply chain and get that vocabulary, that set of concepts. And that's where we think this is going to be very applicable across the board. Not the whole set of System of Trust, but maybe like the top five or six areas. Basically they're independent of what kind of domain you're in, what kind of product and service. So yes, counterfeits, if you're looking at counterfeit microelectronics or counterfeit software, counterfeit sushi or counterfeit handbags, there are different techniques for determining if they are or not. But a couple of steps higher, the whole idea of having an evaluation and assessment of counterfeits and making sure that it's part of your decision process that's independent of what kind of counterfeits you're worried about. And so we think that the top levels, maybe five, maybe six levels down, is something that every board, every officer, every acquisition official, every loading doc manager down to the engineers should be aware of and have as a part of their situational awareness.
PAUL ROBERTS
Okay, final question, which is always we talk a lot about sort of the security poverty line in information security, which is, yeah, sure, the JPMorgan Chase or the Boeing and Lockheed will do this, they'll invest in this. But what about the millions or hundreds of thousands of just enterprises out there where this type of thing, as you're saying, clearly needed now, but might seem like a really big stretch for them in terms of internal talent and skills to be able to do it, bandwidth and resources. So how do we, GAP is used by everybody, you almost have to use it if you're a company doing business with other companies. How do we get System of Trust to have that same "got to do it" quality.
ROBERT MARTIN
Well, so one thing we've done is we've tried to embed in the way we ask the questions about the risks, the knowledge about how to take the raw data and figure out if it is high risk, moderate risk, or low risk. So think about, and this is a poor analogy, but it's one we kind of end up using is your doctor knows how to take a couple of measurements and interpret them. Well, that rubric of how they evaluate that can actually be shared and you see it in articles about your blood pressure should be in this level and your weight at this level. And if these things are too high, then you also talk to your doctor. So there's a way of everyone being able to get some measure, not the precise details that a practitioner would, but a general feel of are you in a low risk, moderate risk, or a high risk? That's where we think most people need to be. If supply chain is a huge possible impact to you, then you need to get some experts involved.
PAUL ROBERTS
Right.
ROBERT MARTIN
But there's a lot of people that just need some general, I guess, supply chain hygiene practices. And that's where we're aiming at.
PAUL ROBERTS
And you said as we started talking, the aim here, the target audience here really is the board, is the management of the company. Not necessarily. This isn't an IT problem. This is a corporate management problem.
ROBERT MARTIN
Right. And the other part of System of Trust, another way of thinking about it is this tree. And there are ornaments you can hang on there. There's things you're already doing that do answer some of these risk questions. So we're not trying to reinvent what's been done. We want to map those things. So there's certifications and accreditations and different assessments that organizations undergo. We want to be able to place these into the context of the system or trust so the risk of those things illuminate can be brought in and not passed over again.
PAUL ROBERTS
Robert, is there anything I didn't ask you that I should have or anything you wanted to say?
ROBERT MARTIN
No. Wish we'd been able to do this in person.
PAUL ROBERTS
Yeah, me too. COVID had other plans...
ROBERT MARTIN
Next year.
PAUL ROBERTS
Hey Robert, thank you so much for coming on and speaking to us on ConversingLabs. It's been a pleasure and thanks for all the work you're doing.