Federal agencies will need to develop clear, actionable standards on a breathtakingly fast timeline, said panelists convened yesterday by public policy research nonprofit R Street Institute.
Officials will also have to overcome historic wariness around information sharing if they wish to improve collaboration with the private sector, said speakers, who praised the goals of the executive order while highlighting the challenges ahead.
NEW SECURITY STANDARDS
Under the new initiatives, software vendors aiming to sell to the federal government will need to abide by to-be-defined security standards, and developing such a framework is no simple feat, said Allan Friedman, director of cybersecurity initiatives for the National Telecommunications and Information Administration (NTIA).
The software supply chain security measures outlined in the order are “fairly commonsense ideas,” such as the requirement that developers use both static and dynamic testing tools, he said. But not all recommendations are easy to boil down into regulations and readily measurable checks — a hurdle that will have to be overcome.
“The challenge is that not all of those commonsense features easily map to standards and things we can easily understand,” he said.
Even as agencies work to create new standards, some members of the security community see compliance-based approaches as insufficient for controlling threats, advocating that organizations instead adopt risk-based approaches, Friedman said.
But he argued that compliance needs to be part of the strategy and will always have a role to play in government regulation, because officials need ways to guide companies that lack sophisticated risk assessment capabilities and let them know they’ve cleared a minimum bar.
“Compliance has a terrible reputation among the cool kids in security … [but] that’s what the vast majority of organizations on the planet do for security, because they need to know when they're done,” Friedman said. “Their job isn't to ‘make secure’; their job is to ‘make stuff’ and we really, really hope it’s secure.”
CRITICAL SOFTWARE SECURITY
One of the federal government’s methods for improving critical software security will be obligating vendors to provide software bills of materials (SBOM) that lay out the different code involved in the products.
NTIA is collaborating now with other agencies on developing minimum requirements for what such an SBOM would look like and expects to reveal that plan publicly on July 11, Friedman said. NTIA thus far has received roughly 70 to 80 private-sector comments, which it intends to make available soon as well.
Among the questions hanging over the topic of critical software supply chain security is what exactly counts as “critical.” The executive order describes such software as anything that “performs functions critical to trust,” like software that gives users access to a network, and several federal agencies are charged with hammering out a more precise definition.
Speaking during the panel, Jeanette Manfra — director of risk and compliance for Google Cloud and former assistant director for cybersecurity for the Cybersecurity and Infrastructure Agency (CISA) — recommended focusing on critical functions rather than specific critical software offerings. She proposed the government shore up security by identifying the kinds of capabilities that both could feasibly be disrupted by cyber attack and are essential to the country, then turning focus on ensuring there aren’t vulnerabilities in the digital systems supporting those operations.
“It's really important work to say, ‘These are the critical functions that our country depends upon,’” Manfra said. “[But] I don't know whether there're many situations where you could get to a specific type of software or a specific brand of software … and I worry about the government prescribing that.”
Manfra advocated for allowing agencies to individually decide what counts as critical to them, given their particular operations and risk profiles. She acknowledged that this may be a longer-term goal because many organizations — public and private alike — currently lack the visibility needed to fully understand their risks.
Adding another voice from the private sector, Camille Stewart, global head of product security for Google and a cyber fellow at the Harvard Belfer Center, said the intertwining of technology with much of society leaves companies concerned that the government could deem nearly all software as critical, given the right perspective.
Even dating services have become entangled in federal security, Stewart said, pointing to the 2020 sale of dating app Grindr following the Committee on Foreign Investment in the United States' (CFIUS) determination the app’s then-ownership by a China-based company could be a national security risk.
“As technology evolves and integrates into our lives in different ways, having a definition of ‘critical’ software that is too expansive, could be really problematic,” Camille said. “Everyone’s afraid that everything will become ‘critical.’”
PUBLIC-PRIVATE COLLABORATION
Government officials are also pushing for the private sector to report and share more information, but encouraging this may require overcoming turbulent history, said Bryson Bort, R Street senior fellow and founder and CEO of cyber risk assessment firm SCYTHE.
“We've had cases where private industry has been burned — where they have gone and talked to government, and government has leaked the information,” Bort said. “Those kinds of things are hard to come back from.”
But Manfra said that officials may be able to win more ready cooperation if they’re careful to narrow down their requests to only ask companies for the exact details needed to meet specific goals.
That will get the government further than if it simply poses vague requests that the private sector “‘just tell us when bad things happen,’” she said, “because it’s hard to parse that out.”
