We need not look beyond the auspices of the last two and a half centuries to find self-evident truths. Yet we know that not all truths have been uncovered. And then we know there are some that are valid but not yet accepted, that reside between certitude and fame, between public opinion and that obelisk dedicated to Mr. Washington.

It is in the search for these truths that courses are charted. And we, in our humble ambition, impervious to obstacles, offer a dialogue on one such course. The subject more precisely: how to use blockchain technology to secure the software supply chain, for that famed government of the people, by the people, for the people.

GOSH, in partnership with the Government Blockchain Association (GBA), have announced the formation of a Working Group to discuss and promote the use of blockchain to secure development and delivery of software code in government applications, both for U.S. Federal Agencies and for governments and private companies around the world.

The technology of a distributed, decentralized ledger has risen in the proverbial ranks of so-called “revolutionary technology” in no small part due to a guarantee of immutability. This guarantee is the premise of the product wherein delivery of software code is fully secure. While blockchain has embedded itself in the popular imagination through contra-institutional ideas, it need not belong to Others. Governments can, and will, benefit immensely from adopting immutable transparency.

On May 12th, 2021, President Joe Biden signed Executive Order 14028. It states that “the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.” It called for a set of recommendations from the National Institute of Standards and Technology (NIST) on how this can be achieved.

While the focus of these guidelines was largely on how Software can be secured using existing tools and practices, the guidelines laid out process improvement recommendations as well as identifying areas where more advanced software can be used. We would like to focus here on the implementation of existing blockchain technology itself as a potential means to secure government software supply chains.

The establishment of a working group, led by GOSH, with the express intention of discussing precisely this, is a direct response to these guidelines. With a strategic goal to engage membership from digital security, software development tools providers and software delivery IT industries, we hope to emphasize our mission statement.

Government and Blockchain Security

Blockchain is becoming increasingly prevalent in private sector use. Record keeping, healthcare, and foreign aid are just some of the applications currently being implemented. Likewise, software security has grown to be a top priority for government agencies. Considering current cybersecurity concerns and the need to secure government software supply chains, leveraging blockchain technology for this purpose is no doubt the next frontier.

The immutable ledger that forms its foundation and the ineluctable presence of encryption, digital signatures, and smart contracts is what has allowed blockchain to prove it is secure. And it has done so imperiously. 

Lately, many new advancements, such as transaction speed and scalability, mitigate migration pains and ensure potential long-term use of blockchain security applications which previously were technologically infeasible. These are beginning to drive the technology into more general areas of use. We consider ourselves one such example. By providing git services on-chain GOSH is able to secure source code by tracing all the software in any supply chain and making sure it is uncompromised.

The technology still faces some challenges. These will be discussed at the Working Group meetings. These include:

• Ease-of-use; deployment across Federal Agencies will require adapting blockchain solutions that are efficient and easy-to-use

• Customization; every critical software application has a different set of challenges, each with slightly different solutions

• Tooling; cloud based security options may not be the best option, but the natural challenges of full blockchain production mean we should explore parallel tools and measures that can be used alongside

The GBA Secure Software Supply Chain Working Group emphasizes the value of a discussion on all possible blockchain solutions to this end, rather than any one solution.

NIST Recommendations

Executive Order 14028 identified many of the vulnerabilities in government supply chain security. These include points such as: build environments, auditing, dependencies, unencrypted data, and provenance. Those of you familiar with our blog no-doubt remember us addressing these points previously. In short, solving these issues is a large part of GOSH’s security solution.

It is with problem-solving in mind, with the light touch of curiosity, that we approach the discussion around this subject. We are excited to listen to, and present, the various products, practices, and proposals to advance another possible use of blockchain in government. As we stated above, our jumping off point for this discourse are the aforementioned NIST recommendations. Let us isolate some examples and suggestions outlined therein and briefly state how blockchain can help:

Access Control 

“Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, devices (including other information systems), and the types of transactions and functions that authorized users are permitted to exercise.”

The question of access control is one that blockchains answer with deft elegance.

The technology is in a way inherently designed by limiting access. Be it by third-parties in a transaction, collection of data, or indeed (as it can be applied to) systems and components that traverse the supply chain.

This is done with two components:

• Cryptographic keys verify and sign any operation on the blockchain

• Smart contracts manage these access rights for different keys granularly, and ensure that operations requirements are properly defined and that access to information regarding the information system and supply chain is protected from unauthorized use and disclosure

Audit and Accountability

“Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.”

Blockchain ledgers are immutably timestamped. Every interaction is recorded, cryptographically signed, and consensus timestamped. Therefore, they guarantee audit records of a supply chain event are handled securely and that the confidentiality of records and their sources cannot be altered.

All this helps enterprises implement non-repudiation techniques to protect the originality and integrity of both information systems and the supply chain network.

On one level, smart contracts can monitor contractor systems to detect the unauthorized disclosure of any data. Enterprises can be notified immediately in any such event. But more than that, any database using any data taken from the blockchain is certified to be correct because, on a fundamental level, the blockchain always proves it, and everything it contains, contains no faults or errors.

Assessment, Authorization, and Monitoring

“Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.”

Ensuring this is largely a matter of processes. But many of these activities can be aided by blockchain technology:

• Regarding i; the blockchain never sleeps and the in-built security controls are present at all times

• Regarding ii; plans of action for information systems can, and are, automated by smart contracts

• Reharding iii; for all the reasons we have stated earlier, smart contracts and blockchain access rights resolve this issue

• Regarding iv; blockchain security systems, and all of their components, are self-controlling in real time. While monitoring should be effectively organized off-chain, smart contracts performing the aforementioned tasks can be built around the particular needs of an enterprise which would prevent system attacks in and of themselves. These include:

  • The tracking of chain of custody and system interconnections within and between enterprises

  • The verification of suppliers’ claims of conformance to security

  • Product/component integrity

  • Validation tools and techniques for non-invasive approaches to detecting counterfeits or malware (e.g., Trojans)

Indeed these are all tools that GOSH has been developing for a variety of functions, which could well be adapted to government use.

Configuration Management

“Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.”

We have spoken at some length about blockchain ledgers. So let’s talk about them some more.

Immutable ledgers allow enterprises to track changes made throughout their networks. It becomes not only possible to know, but also to prove, what changes were made to those systems, components, and documentation; who made the changes; who authorized the changes; and when such changes were made.

It also provides evidence for investigations, when supply chain cybersecurity is compromised, by determining which changes were authorized and which were not.

System and Information Integrity

“Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.”

Blockchain guarantees system and information integrity.

The insertion of malicious code and counterfeits are two primary examples of cybersecurity risks throughout the supply chain; these can be combated comprehensively using blockchain technology, formal verification, and consensus protocols

“The enterprise should ensure that code authentication mechanisms, such as digital signatures, are implemented to ensure the integrity of software, firmware, and information” – these are in-built to any blockchain system

Securing Critical Software

In a separate set of recommendations by NIST, specifically regarding Critical Software, they outline the importance of systems that “identify and maintain EO-critical software platforms and the software deployed to those platforms to protect the EO-critical software from exploitation.”

This is a subject particularly important to us because GOSH is built to do just that. We believe that decentralization is a large part of how this can be achieved for wider use, along with the computing particularities of the blockchain which we have mentioned above. Suffice to say, this is another example of an elegant solution.

Where We Hope This Will Go

The main reason government supply chains must remain secure is so that their function in serving the public good not be in any way undermined. We strongly believe in the potential of blockchain as a whole, and particularly GOSH, in achieving these ends so that no longer will democratic institutions be left to the vulnerability they find themselves in today.

The working group began with hosting a discussion on Securing IT Supply Chains during the GBA’s conference on Blockchain & Infrastructure earlier in the year. Keynoted by former U.S. National Security Council (NSC) member, Brian Cavanaugh — GOSH, and especially the working group, garnered significant attention. The first meeting is currently scheduled for December 1, 2022 at 12:00 ET / 18:00 CET, but is subject to changes. 

For all who wish to participate, please consult the Working Group page, where you can also contact us directly: 

https://gbaglobal.org/groups/secure-software-supply-chain/

For more news and updates about GOSH: