This is a problem that needs to be fixed, as the U.S. is increasingly concerned about cyber threats from China, especially those aimed at critical infrastructure.
“We’ve got to get the country's infrastructure on a civil defense war footing,” said CSAC Chair Ron Green, during the group’s recent quarterly meeting call.
The draft report says the U.S. needs to act fast to improve both cyber resilience and defense. CISA should take steps like providing more support to small systemically important entities as well as asking partners to help assess whether CISA’s threat advisories on groups like China-backed Volt Typhoon are actually making a difference for various sectors. CISA’s Joint Cyber Defense Collaborative should also keep providing threat intelligence as well as sponsor tabletop exercises for critical infrastructure.
The report also highlights third-party risks and recommends that CISA spur software manufacturers’ adoption of Secure by Design practices.
Following such practices would help software producers create offerings that better withstand hacking attempts and are easier for customers to use securely. But following these steps is voluntary — so it’s important that CISA can make a convincing case for doing so.
The CSAC’s Secure by Design subcommittee couldn’t find evidence to support some often-touted financial justifications for following related principles, said subcommittee Chair George Stathakopoulos during the call.
It’s often assumed that fixing vulnerabilities in software before releasing it is cheaper than trying to fix issues after release. That’s true for the rare events when vulnerabilities are exploited to cause major — and costly — problems, but often companies can get away with vulnerabilities in their products that no one discovers, Stathakopoulos said.
And a major data breach hasn’t always been the death knell for a company. Companies that already have established trust with customers often would be dinged temporarily by an incident, but reputations bounced back, he said. Meanwhile, companies that failed to recover often were struggling with other serious issues, too.
Stathakopoulos said that despite looking extensively for some strong economic incentive, they could not find one that “actually suggests that there's an economic incentive for companies to do this, other than they volunteer that they wanted to do this for their own reputation and to further the greater good.”
Still, Stathakopoulos encouraged investigating the economic matter further. And, if there truly are no financial motivators, he suggested that CISA should make some.
CSAC Designated Federal Officer Megan Tsuyi also noted that the Office of the National Cyber Director has been considering how it might hold companies liable for insecure software development practices.
And while those incentives may work for commercial software, another approach is needed to keep open source software secure.
Open source software is often created and maintained by a volunteer community, and offered for free “as-is,” meaning no one is legally responsible for it. And volunteers don’t always have the time or resources to respond quickly to make patches.
But open source cannot simply be avoided: It’s a huge — and valuable — part of the software landscape. Open source elements are used in 80 to 90 percent of closed source software, said Jeff Moss, Technical Advisory Council Subcommittee chair.
One thing the space needs is more “curators,” or entities that take responsibility for patching and maintaining versions of an open source project for their customers, per the report. Some curators are paid companies that are providing this service to others, or they are internal teams maintaining open source for their organization’s use.
The federal government could also step into this role and designate an agency to be the curator of open source software used by federal, state, local, tribal and territorial agencies, the report suggests. In critical infrastructure sectors, each Sector Coordinating Council should list out the critical open source software packages for its sector and offer some level of curation for the packages.
During the call, CSAC members approved sending all recommendations to CISA Director Jen Easterly, with no objections.
