One of the common themes across SolarWinds, Log4j, and others is that individuals and organizations flagged the discovery to the broader community to act, resulting in the community rallying to respond. However, this ad hoc system isn’t sustainable in the long term, we need a common strategy across government, industry, academia, and the open source community to better equip all stakeholders with the tools they need to immediately and effectively address software supply chain risk.
Consistent with recommendations we supported with the Cyber Safety Review Board (CSRB), and made in other government and industry forums, the strategy should center on three core pillars: 1) adopting best practices and standards for cyber hygiene; 2) building a more resilient software ecosystem; and, 3) making investments in the future. Working across all three pillars, we can both prepare for — and respond to — future attacks.
Our approach to supply chain security is rooted in a basic principle: we defend better together. We hope this report serves as a call to action for everyone to do more to learn from, and prevent, these attacks. Google is committed to continue doing its part to support these efforts and we look forward to partnering with others to drive more progress and help organizations, businesses, governments, and users stay safe online.