As the focus on cybersecurity continues to increase, governments around the world are putting in place regulations and legislation that companies must follow. The SEC announced guidance about the need for large publicly traded businesses to manage their cybersecurity requirements and report any relevant incidents. This was a pivotal step in helping to ensure those entities remain secure against cyber-attackers.
Here at Mergebase, we wanted to take some time to talk about this announcement - as well as what this type of government legislation means for small-to-medium sized organizations and multinationals over the next few years. Joining this interesting conversation are Oscar van der Meer - CEO, Kelly West - CTO and Delan Elliot - Software Engineer.
What do SCA, AI and Cybersecurity have in common? - Video Transcription
Delan: Alright, welcome everyone to another MergeBase cybersecurity video. Today, we’re going to be talking about the SEC announcement that provided some guidance on how large publicly traded businesses need to deal with cybersecurity and reporting.
And with that context, we’re going to talk about government legislation in general around cybersecurity and, you know, how some small, medium-sized businesses as well as larger organizations react to that over the next few years.
With me today is Oscar Van Der Meer, CEO of MergeBase, and joining us is Kelly West, newly our CTO. Welcome everyone. So, I’m just going to get started.
You know, in general, we’re with the context of the SEC getting more involved in this government’s overall and in different countries are getting more concerned about cybersecurity and the software supply chain.
So how do we see that going forward, Oscar?
Oscar: MergeBase is actually seeing a lot of movement. I mean, governments are notoriously kind of slow movers. But actually, they’re somehow breaking the mold a little bit here because, you know, in the U.S., for example, we saw that they introduced a new cybersecurity strategy from the federal government in March and then actually came out with the implementation plan early July.
I think it’s very, it’s been, you know, that hardly ever happens. Right. And so we’re seeing a movement in the European Union and in the U.S. The U.S. is clearly leading in this area, but smaller countries like Canada, Japan, Germany, and other countries are also doing a lot of things in this area.
Right. So, I guess at a high level, why are they getting more concerned about cybersecurity and software supply chain specifically? Well, for instance, the European Union quotes in one of their recent reports that cybercrime annually exceeds five .5 trillion euros, which is roughly equivalent to a U.S. dollar.
So this is a huge number like just a few years ago, total crime-related damages across the globe were estimated to be $10 trillion, with the biggest chunk of that essentially being corruption. And so really, cybercrime is, is gunning for the number one spot here in, in total crime damages and release overtaking drugs and other, other crimes. So it’s, so you can imagine, you know, when that’s happening, what a concern that creates for governments.
And then secondary or, in some countries, primary is, of course, the kind of defense or security, you know, implications as well. I mean, we’re seeing in the war, in, in the Ukraine, for instance, there’s quite a lot of cyber warfare and electronic warfare going on. So, it becomes a key component of defending your country as well.
Kelly: And I think related to that on the government front, as an aspect of defense, we’ve seen more often states as bad actors where the attack vector is actually against companies in order to disrupt the economy, where it’s not a government attacking a government, but rather, you know, a state-sponsored bad actor is actually disrupting the economy with attacks against private companies. And, so, the kind of defense that’s necessary then is necessarily distributed amongst those companies.
Delan: So what’s, you were saying that there’s sort of a general direction that governments are taking with cybersecurity.
What’s the sort of future of government involvement with the cybersecurity industry?
Oscar: I would like to narrow it down from cybersecurity kind of globally to, really, software supply chain attacks because software supply chain attacks have, have really been increased tenfold over the last two years.
And that’s what, I think, a critical focus is on now, both in the industry and, from governments and terms of, you know, what’s the common approach? I think the one common approach is that there is effectiveness in the software supply chain; there’s a risk gap, right?
So, first of all, let’s talk a little bit about what the software supply chain is while you’re building an application, either as an organization yourself or a software vendor is building an application for you. What now tends to happen is that they source a lot of the code in that application from other places.
And so that’s your software supply chain mostly, that is now open source. And there are contributors to open-source software all around the globe. You’ve got these open-source projects, and they’re incorporated into applications in the form of libraries and frameworks.
And the problem is those could have known vulnerabilities, and those are critical attack vectors at the moment. And so that’s really what the governments are concerned about. And there has been this risk management gap, right?
Because the, the vendors who created applications, um, and would, would sell their applications, often put in their contracts that are not liable, you know, if they’re, if there are breaches, right? And so they are not taking any responsibilities. And then the buyers, on the other hand, of that software they don’t have any knowledge of the internals of the software. And so they’re saying, well, I can’t take any responsibility on the risks for this because I just don’t know what risks there are and how to manage them.
And so the end result is that nobody was managing the risk, the vendor wasn’t doing it contractually, and then the buyer needed to do it because they needed the tools and the information to do it well. So, this created this huge gap that is now being exploited. And so the first thing governments are doing is trying to close that gap, right?
And they’re doing that by saying, um, to someone in, in this case, the buyer, you have to take ownership of this, and you have to make sure that your vendor’s giving you,either, you know, guarantees or sufficient information for you to manage the risk.
So that’s kind of, but then that’s where the commonality starts, but also ends because then exactly how do you do that? You know, different countries will go into different levels of detail around that. In some countries, it’s basically, well, now you’re on your own, and in some other countries like the US, they provide you with very, you know, specific guidelines.
Kelly: Right. If I can just add to what Oscar’s saying, I think the key phrase that Oscar used is that the challenges in, software supply chain are that there are known vulnerabilities. They’ve actually published vulnerabilities. And so, the information is readily available to cyber criminals.
And so when the government is focusing on the software supply chain, it’s a very practical approach to protecting software because these known vulnerabilities mean that they are higher probability areas to be attacked, but they’re also easier to defend against with some, with something like an SCA tool like MergeBase, you can easily protect against those known and published vulnerabilities.
And, so, the software supply chain is a focal point for governments is both because it’s a higher area of threat and because it’s a practical area to protect against. And yet a lot of companies, I think, aren’t yet doing that.
Delan: So,you know, how does this impact medium-sized businesses as well as large businesses, in terms of requirements day to day, you know, how is this going change practices and, you know, what are the types of tools you need, involved in order to, to implement these sort of changes?
Oscar: So the, well, definitely, I think what we’re seeing is that governments are getting very concerned, and they’re creating legislation and regulations that initially is really targeting larger organizations. For instance, the announcement from the SEC regulates publicly traded companies in the US. So they will have to provide vulnerability reporting on an annual basis, and they will have to have certain, you know, procedures for security incidents, as well as reporting and disclosing that information.
So, but that’s for larger organizations. So we are also seeing that specific areas, like, for instance, FDA have introduced regulations for medical devices, right? And there are specific regulations in the power industry.
For instance, in the US, the European Union is introducing specific legislation as well.Japan has just recently launched a guideline on how to use more targeting at multinational organizations that supply their goods in countries like the US and the European Union.
So there are a lot of different things: first going after large companies, but very quickly, it’ll trickle down to smaller companies because who often supplies those large companies, smaller companies, right? And so, there are larger organizations that are looking at their own supply chain and, and, basically, the regulations that they’re responsible for, they’re starting to downstream that to their suppliers.
And so that’s probably the next step. And then just from a general, risk management perspective, I think it 5.5 trillion, you know, problem, I think basically impacts everybody and, and criminals are increasingly targeting small organizations.
And that’s even made easier, you know, because they have AI now as well as a tool that helps them do that more effectively and to, to scale up their operation and do what they were doing with large organizations for now applying that, using AI to smaller organizations as well.
Delan: Right. So you were mentioning AI. So how do you think AI is going to be impacting the cybersecurity industry and, you know, as well as the software supply chain if it’s AI? So, you know, AI is developing, so over the next five to 10 years.
Kelly: Well, I think that, you know, just to recognize that right now AI is in its infancy and hasn’t been a major factor yet in cybersecurity, and yet it is likely, you know, you, you mentioned a five to 10 year timeline in technology. That’s a very long timeline to try and make predictions again, but we can assume that it’s going to become important and that we’re gonna see, you know, sort of three areas where AI is important when it comes to cybersecurity.
The first is all around privacy and confidentiality. And that’s partly because of the number of AI tools out there. And when it comes to generative AI, they’re often fed with a lot of information. So that information, then, is it intended to be published? Is it intended to still be confidential and in a tool?
What are the new attacks that are possible against a tool like that? There’s a whole area of uncertainty both around the legal implications of ownership of information and around the protection of confidential and private information when it comes to AI tools. Another area that a major focus is going to be the offensive use of AI.
AI can be used as a tool to come up with new attack vectors or to take a known vulnerability and scale up the idea of how to attack that vulnerability across many different companies that may have that vulnerability.
And certainly, that’s gonna have a clear relationship to software supply chain management. Since, effectively, you’ve fed information into AI systems, you can feed in known vulnerabilities as a result. You could basically do the range of different types of attacks you can make based on those vulnerabilities out there in the world.
Finally, a third area where we’re going to see AI have an impact is on the defensive side. Even a tool like MergeBase has, for our SCA analysis, aspects of AI within the tool in order to be able to defend against all of the known vulnerabilities.
And we’re gonna see those capabilities being built out over the next few years to make AI a powerful tool to defend against cybersecurity threats.
Delan: What’s the best way you can start stepping up if you’re a smaller, medium-sized business, or even a large business that is already the subject of some of these regulations? What can you do to get started?
Oscar: I think the important thing is that you get a process in place. And, so, I think a lot of governments are al already helping. So you need to, it’s a very much process-oriented approach, and then it’ll require some tools.
So everybody nowadays has a firewall, has some other tools, often, I think, where they don’t have is detecting known vulnerabilities, right? And that’s why we’ve seen a tenfold increase over the last two years because, you know, everybody has kind of, you know, some of the bare bones basics in place. But what is the next step?
Well, I think it’s to take care of your known vulnerabilities, and that’s why we’ve seen a tenfold increase in, in two years, because most organizations still don’t have that in place. And of course, having a known vulnerability in an application sounds like, you know, trivial matter, but it’s, it’s like, you know, you have a house, and you say, I don’t want to, you know, get somebody breaking into my house, but you just leave a few doors and windows open like you might have locked the front door.
But how about the back door? How about a window in the bedroom or something like that? And if it’s easy to spot, like, you know, you, you’re not, your house is not very well protected. And, that’s effectively the state of where, where a lot of organizations are with their applications, there are known vulnerabilities in them that effectively could easily be leveraged by criminals to breach the organization.
Delan: You know, get started with something to get to, to detect known vulnerabilities. So that’s the Software Composition Analysis tool. And MergeBase is obviously a software composition analysis tool.
So, if you wanted to get started with MergeBase and try it out before you get a full process in place for your company, how could you get started?
Oscar: Go to Mergebase website and take a free trial, or set up a meeting with one of our salespeople to talk about how we could best tailor that for your organization.
Delan: Well, thank you, Oscar. Thank you, Kelly. I learned a lot today. Thanks, everyone. Have a great day.
Cybersecurity in a Dynamic Landscape
The future of cybersecurity is a dynamic landscape shaped by government regulations, AI advancements, and the ever-present threat of software supply chain attacks. By understanding the evolving nature of these challenges and taking proactive measures, businesses of all sizes can safeguard their digital assets and thrive in an increasingly secure digital environment.
Stay informed, invest in the right tools, and embrace emerging technologies to stay one step ahead of cyber threats.
