Hey, all you federal CTOs, we see you.
We know what’s at the top of your priority list … and what should be on the top of your priority list but isn’t. We’re not spies; we know because we got the drilldown from this week’s Code Patrol guest, Steve Orrin, Intel’s Federal Chief Technology Officer and Senior PE.
First, the unsurprising bit: Orrin says that federal agencies are focusing on zero-trust architecture. We’re talking about visibility into the software supply chain. About last year’s executive order (EO) on cybersecurity. About the EO’s offspring, including the M-22-18 memo (PDF) from the federal Office of Management and Budget (OMB). About the fact that the government is good and fed up with the haze that’s hiding potentially buggy libraries or other threats such as Log4Shell, Sunburst and other supply-chain attacks; hence, the new requirements for Software Bills of Materials (SBOMs) and software producers’ self-attestation letters, meant to assure federal agencies that their software isn’t as full of holes as Swiss cheese.
You’re beyond just planning for zero-trust, though — you’re on to actual implementation, to deadlines, to rubber-hits-the-road deployment.
But while zero trust is what federal agencies are focused on, what they should be focused on is firmware hardware, Orrin asserts. He points to several papers put out at this year’s DEFCON and Black Hat, detailing ways to attack firmware or to leverage vulnerabilities and firmware so as to get a foothold into the environment.
Peeking below the OS level
Why is this so important? One of the reasons, Orrin says, comes right back to visibility. “Your typical tooling, the antivirus and the other threat-hunting tools that you have at your disposal and that your enterprise is using to detect malware, to detect ransomware, to detect threats, don't have visibility below the operating system — below the hypervisor where the firmware sits and where these attacks and exploits are happening.”
That visibility requires a dedicated view on how you manage security, he says. Plus, when you look at your enterprise management systems — whether it be patch management, vulnerability management or the overall life cycle — it’s apparent that we’ve all pretty much got it down when it comes to doing things like operating system or application updates.
But when it comes to firmware updates, organizations are still struggling. “Even though the tools are available today, they haven't been operationalized in many cases,” Orrin explains.
Some of that is fear. Some is simply lack of awareness. Either way, federal agencies need to deploy newer tool sets that integrate into their existing environments, in order to do at-scale firmware updates, secure rollbacks and other features.
The good news: NIST is on it. Here’s a link to its SP 800-193 documentation and guidance on platform resiliency. It identifies not only the threat and risk around firmware security, but also how best practices can be implemented to deploy firmware security and component firmware security at scale and across systems.
Hardware security is obscured in the zero-trust buzzword blur
Are fed CTOs and CSOs getting the message? Well, as Orrin points out, they're constantly fighting fires. But firmware security can’t take a backseat when it comes to zero trust, he emphasizes.
“Part of the overall story to get zero trust, you need to understand, How do you secure the full stack to achieve that notional goal?” he questions. “To get supply-chain risk management deployed at scale, understanding that firmware is a fundamental part of your overall software and hardware supply chain.
“It's not that they can forget about firmware security, but sometimes it gets lost in the shuffle of the buzzword blur of zero trust.”
Want to cut through the haze to get some full-stack security clarity? Strap on your earbuds and have a listen to the podcast for more from Intel’s top guy on federal cybersecurity.