President Biden’s cybersecurity executive order outlined an ambitious agenda, propelled by a flood of concerns over a series of critical system compromises – but turning ideas into implementation will be hard work.
Federal agencies will need to develop clear, actionable standards in an incredibly quick time frame, panelists convened yesterday by the nonprofit R Street Institute for public policy research said yesterday.
Officials will also need to overcome a historic mistrust of information sharing if they are to improve collaboration with the private sector, said speakers, who welcomed the executive decree’s goals while highlighting the challenges ahead.
NEW SAFETY STANDARDS
As part of the new initiatives, software companies aiming to sell to the federal government will have to adhere to security standards to be defined, and developing such a framework is no easy task, said Allan Friedman, director of cybersecurity initiatives. for the National Telecommunications and Information Administration (NTIA).
The software supply chain security measures described in the ordinance are “sane enough ideas”, such as requiring developers to use both static and dynamic testing tools, he said. he declares. But not all recommendations are easily summed up into easily measurable regulations and controls – a hurdle that will need to be overcome.
“The challenge is that all of these common sense features don’t easily match up to standards and things that we can easily understand,” he said.
The NTIA and the National Institute of Standards and Technology (NIST) have solicited comments from the private sector to inform their standardization work, but with short response times given the swift timetable established by the executive order, Friedman said.
Even as agencies strive to create new standards, some members of the security community see compliance-based approaches insufficient to control threats, advocating that organizations instead adopt risk-based approaches, a said Friedman.
But he argued that compliance must be part of the strategy and will always have a role to play in government regulation, as officials need the means to guide companies that lack sophisticated risk assessment capabilities and make them know that they have crossed a minimum bar.
“Compliance has a terrible reputation among the cool kids in security… [but] this is what the vast majority of organizations on the planet do for security, because they need to know when they are done, ”Friedman said. “Their job is not to ‘secure’; their job is to “do stuff” and we really, really hope it’s safe.
CRITICAL SOFTWARE SECURITY
One of the federal government’s methods of improving the security of critical software will be to require vendors to provide software nomenclatures (SBOMs) that outline the various codes involved in the products.
The NTIA is now working with other agencies on developing minimum requirements for what such a SBOM would look like and plans to reveal that plan publicly on July 11, Friedman said. So far, the NTIA has received around 70 to 80 comments from the private sector, which it also intends to publish soon.
Among the questions hanging over the topic of critical software supply chain security is what exactly counts as “critical”. The decree describes such software as anything that “performs functions essential to trust,” such as software that gives users access to a network, and several federal agencies are responsible for developing a more precise definition.
Speaking at the panel, Jeanette Manfra – director of risk and compliance for Google Cloud and former deputy director of cybersecurity for the Cybersecurity and Infrastructure Agency (CISA) – recommended focusing on critical functions rather than specific critical software offers. She proposed that the government strengthen security by identifying the types of capabilities that could both be disrupted by a cyber attack and are critical for the country, then focus on ensuring that there are no vulnerabilities in them. digital systems supporting these operations.
“It’s a really important job to say, ‘These are the core functions that our country depends on,’” Manfra said. “[But] I’m not sure if there are many situations where you could access a specific type of software or a specific brand of software… and I’m afraid the government is prescribing it.
Manfra has advocated for allowing agencies to decide individually what counts as essential to them, given their particular operations and risk profiles. She recognized that this could be a longer term goal as many organizations, both public and private, currently lack the visibility to fully understand their risks.
Adding another private sector voice, Camille Stewart, global head of product security for Google and cyber-fellow at the Harvard Belfer Center, said the interweaving of technology with much of society leaves companies concerned about the fact that the government could consider almost all software to be critical. , given the right perspective.
Even dating services got entangled in federal security, Stewart said pointing to the 2020 to sell of the Grindr dating app following a determination by the Committee on Foreign Investment in the United States (CFIUS) that ownership of the app by a China-based company could pose a risk to national security.
“As technology evolves and fits into our lives in different ways, having a definition of ‘critical’ software that is too broad could be really problematic,” said Camille. “Everyone is afraid that everything will become ‘critical’. “
Government officials are also pushing for the private sector to report and share more information, but encouraging this may require overcoming a turbulent history, said Bryson Bort, senior researcher at R Street and founder and CEO of the cyber risk assessment company SCYTHE.
“We’ve had cases where private industry has been burned – where they’ve gone to talk to the government, and the government leaked the information,” Bort said. “This stuff is hard to overcome. “
But Manfra said officials might be able to get cooperation easier if they are careful to narrow their requests to only ask companies for the exact details needed to meet specific goals.
This will take the government further than if it simply poses vague demands on the private sector “‘just tell us when bad things are happening”, she said, “because it is difficult to analyze that. ”