Editor’s Note: This is the latest in a series from the Poole College of Management and the Enterprise Risk Management Initiative that taps experts from across NC State to explore societal issues through the lens of risk management.
The scope and cost of cyberattacks are staggering. Global losses from data breaches are measured in the hundreds of billions, and the average breach costs an organization $4.4 million, according to IBM.
But the cost of cyber risk is only one part of the picture. Cyberattacks affect every industry; in the last few months alone, they’ve brought European air travel to a standstill and crippled Jaguar Land Rover’s automobile production. Those were malicious attacks, but unintentional cybersecurity breaches are a major source of risk, too.
“It’s inevitable,” said Laurie Williams, Goodnight Distinguished University Professor of Security Sciences and director of NC State’s Secure Software Supply Chain Center (S3C2). “There are vulnerabilities, and you’re going to have to react to them.”
S3C2 and the Wolfpack Security and Privacy Research Lab (WSPR) —both part of the computer science department — are two major NC State research efforts that develop tools and approaches to help protect software makers and users from malicious and unintentional threats.
Mark Beasley, Alan T. Dickson Professor and Director of the Enterprise Risk Management Initiative at the Poole College of Management, recently interviewed NC State computer scientists Laurie Williams and William Enck about cybersecurity risks business leaders may want to monitor. In this video, they outline strategies and techniques business leaders can take to enhance organizational agility and resilience in the face of inherent cyber vulnerabilities.
Open Source, AI and Vulnerabilities
Every piece of software is built on — and with — layers of other pieces of software. Each component in the software supply chain, from databases to developer tools, could introduce vulnerabilities for the organization that creates the software and the customers who use it.
Eighty percent of any piece of software, Williams said, is made by third parties. And many of the links in that software supply chain are open-source. Open-source software is written by a person or community and shared for others to use or adapt the code.
And it’s an essential part of the modern software ecosystem.
“Nearly every organization is relying on open-source software,” said Will Enck, Goodnight Distinguished Professor in Security Sciences and director of the WSPR Lab. “To some extent, it’s foolish not to. Reimplementing what already exists is reinventing the wheel.”
Increasingly, though, open-source components of the software supply chain are being targeted by attackers, Enck said. Bad actors can corrupt open-source file libraries with tactics that look a lot like phishing scams, Enck said. Think of an email that looks like official communication from Amazon or Microsoft, but includes links that give the sender access to the user’s personal information or control over their computer.
“You’ve got to make sure that the ecosystem of open-source software that we depend on is being maintained.”
William Enck
Goodnight Distinguished Professor in Security Sciences Director, Wolfpack Security and Privacy Research Lab
Hackers make similar attempts on software developers by subtly loading corrupted libraries into a popular open-source package, Enck said. These attacks can play out over long time periods. In February 2024, users of a popular Linux utility called xz found a sophisticated backdoor. The malicious actor who added it had spent three years earning the trust of the people who managed the xz utility. The backdoor was only found when an xz user working at Microsoft noticed that it was running a few hundred milliseconds slower than usual.
It’s incumbent on users of open-source software to actively support the communities that maintain it, Enck said. That support could be financial, or it could mean encouraging their teams to contribute to those communities.
“There’s this saying that you need to think about open-source software as ‘free as in puppy, not free as in beer,’” Enck said. “There’s a maintenance cost that goes with it, and it’s not just making sure you’re getting the security patches. You’ve got to make sure that the ecosystem of the software that we depend on is being maintained.”
Artificial intelligence compounds the challenge of monitoring software supply chain risk. Increasingly, software developers use coding assistants to speed up their code development. In doing so, they may be sacrificing security. The data those assistants are trained on, Williams said, is vulnerable. Existing code makes up a large share of that training data, and it can be compromised accidentally (if the underlying code isn’t secure) or intentionally (by bad actors injecting vulnerabilities).
“A lot of people using coding assistants say they’re 10x more productive,” Williams said. “But you’d better check the security of the code you’re generating.”
Turning Risk Into Opportunity
Businesses, markets and the climate itself are changing faster than ever. NC State’s Enterprise Risk Management Initiative offers organizations the tools, methodologies and expertise to thrive in an endlessly evolving world.
Improving Your Risk Posture
As organizations in every sector deepen their dependence on software, cyber risk management must become a core part of enterprise strategy. Williams and Enck agree that the question isn’t whether vulnerabilities will appear, but when — and how prepared an organization is to respond.
Companies that maintain awareness of emerging threats and have defined processes for identifying and remediating vulnerabilities are far better positioned to recover quickly. In contrast, those without such systems often spend months struggling to contain the damage.
“Security is everyone’s job. It has to be built in from the beginning.”
Laurie Williams
Goodnight Distinguished University Professor of Security Sciences Co-Director, Secure Software Supply Chain Center
“Computers have gotten smaller, and software is running in small devices connected wirelessly to the cloud. We don’t see those connections — but they’re everywhere: in finance, transportation and public utilities.” Given that ubiquity, Enck argues, cybersecurity spending shouldn’t be seen as a cost center but as essential infrastructure.
Education and awareness are also key. Williams advocates for company-wide security education and clear accountability at every stage of software development.
“Security is everyone’s job,” she said. “There can’t be a mindset of, ‘I’ll build the functionality and someone else will find the vulnerabilities.’ It has to be built in from the beginning.”
5 Key Topics for Boards and Executives
Cyber criminals increasingly target popular open-source software to embed malicious code. Board and CEOs can improve their risk posture by discussing these topics with their CTOs, according to Enterprise Risk Management Initiative Director Mark Beasley:
To what extent are our most critical software systems comprised of open-source software components?
How are we identifying and monitoring potential vulnerabilities in the open-source software we use for key operations?
When we evaluate vendor software products, to what extent do we assess their use of open-source components and how they monitor ongoing vulnerabilities that might be in their software code?
What procedures do we have in place to ensure we are updating our software with patches on a timely basis when new vulnerabilities are disclosed?
Do we regularly conduct security testing that includes open-source components?
