With the signing of Executive Order 14017, U.S. President Joe Biden changed the landscape of cybersecurity in regards to ensuring resilient U.S. supply chains.

As a part of the new initiative to protect supply chains, people like Luke Hinds (pictured), security engineering lead, Office of the CTO, at Red Hat Inc., have stepped forward with innovative ideas designed to meet the continuing threat of cyberattacks on U.S. infrastructure.

Secure supply chain “is a bit of a buzzword at the moment, and there is a lot of attention. It is the hot topic, secure supply chains, thanks to things such as the Executive Order,” Hinds said. “And we’re starting to see an increase in attacks as well. There’s a recent statistic that came out … a 620% increase since last year of supply chain attacks involving the open-source ecosystem. So, things are certainly ramping up.”

Hinds spoke with David Nicholson, host of theCUBE, SiliconANGLE Media’s livestreaming studio, during the KubeCon + CloudNativeCon NA event. They discussed challenges facing the security of the U.S. supply chain, adoption hesitancy, and what Red Hat Inc. is doing to meet these challenges. (* Disclosure below.)

Business as usual is no longer an option

With the signing of the Executive Order, many companies have been left scrambling to adjust to the new restrictions. In the past, a company would get a server up and running and then simply walk away leaving it to run on its own, for the most part, according to Hinds. Now, that is no longer an option.

“There is an element of ‘not everybody has adopted this new paradigm that we have in development,’ but it is increasing,” Hinds stated. “There is rapid adoption here, and many that haven’t made that change yet to migrate to a sort of a cloud-type infrastructure, they certainly intend to, or they certainly wish to. I mean, there’s challenges there in itself, but I would say it’s a safe bet that the prolific use of cloud technologies is certainly increasing.”

Multinational software company Red Hat is helping to make the changes necessary for a secure future with its free, open-source enterprise products. In efforts to increase online security, Red Hat developed Sigstore, which operates along with the principle of the transparency logs, used by HTTP protocol, to audit digital certificates for identification as either a trusted or fraudulent website.

Developed during the COVID-19 lockdown, Sigstore uses ephemeral keys that make the whole process more secure. In addition, Sigstore acts as an umbrella project for tools catered to the adoption of signing certificates by websites. Working with individuals at Purdue University and Google LLC, Hinds and Red Hat developed the new technology.

But there are challenges. Part of the problem lies in getting everybody to adopt the new tools that Sigstore offers. At its heart, Sigstore offers a method to enhance security for software supply chains in an open, transparent and accessible manner. It’s intended to make cryptographic signing easier and available to all. And, most importantly, it’s available at no cost. Hinds and Red Hat hope that this encourages adoption.

Using Sigstore tools, companies “can sign their own artifacts and secure bill of materials, all of these sorts of things and have their own tamper-proof record of everything that’s happened. So, if anything untoward happens, such as a key compromise or somebody’s identity stolen, then you’ve got a credible source of truth because you’ve got that immutable record,” Hinds said.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of KubeCon + CloudNativeCon NA. (* Disclosure: Red Hat Inc. sponsored this segment of theCUBE. Neither Red Hat nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE