Time for the gloves to come off, the U.S. government said on Thursday in a newly aggressive policy on cybersecurity that has — mostly — thrilled cybersecurity experts.
The feds asserted that expecting the tech industry to voluntarily report computer system intrusions and to patch regularly so as to fend off attacks on critical infrastructure just isn’t cutting it, given the escalating barrage of increasingly sophisticated cyber assaults — often backed by hostile nation states — intended to infiltrate critical government and private networks.
Instead of good-faith efforts, the tech industry must be required to meet minimum cybersecurity standards, according to the Biden administration’s new National Cybersecurity Strategy (PDF), released on Thursday, March 2.
“Information sharing and public-private partnerships are inadequate for the threats we face when we look at critical infrastructure,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, told reporters in a briefing at the Center for Strategic and International Studies (CSIS), a Washington think tank. It’s now time “to implement minimum mandates,” she said.
This is “wonderful news,” cybersecurity experts declared.
“The security transparency genie is out of the bottle and it’s never going back,” said Contrast Security CTO and co-founder Jeff Williams.
“It seems that consumers, like the government, companies, and even some individuals have finally realized that many software producers are not “telling the whole truth” about their security efforts,” he said. They’ve all started to demand transparency, he said, starting with Software Bills of Materials (SBOMs) and now MFA.
“In a few months, the soon-to-be mandatory OMB-22-18 [self-attestation letters regarding security practices] will force software producers to disclose and attest to their security practices, similar to Sarbanes-Oxley,” Williams said, referring to the 2020 federal act engineered to address public disclosure and auditing scandals.
Check out the “Get ready for grilling” Code Patrol episode featuring Williams discussing OMB-22-18
“The more things are made transparent, the more questions come up,” Williams continued. “The SBOM community is already asking hard questions about the security of backend services, build procedures, development tooling, pipeline integrity, provenance, and many other ways that software can end up with either unintentional vulnerabilities or malicious code.”
The time has come for sunshine to illuminate what have been the murky waters of software, Williams said. “We’ve finally started the inevitable and accelerating path towards ‘security in sunshine. It will mean that software producers won’t be able to skip, defer, ignore, minimize, pretend or avoid basic application security hygiene.”
Taking a firmer hand is ‘critical’
Steve Wilson, Contrast chief product officer, is equally thrilled at what he called Biden’s “aggressive stance.” The approach is “critical” in securing the critical and complex applications being developed in both the government and private sectors, he said.
“The call in the strategy for ‘new tools for secure software development, software transparency and vulnerability discovery’ will force many organizations to move past the ‘check the box’ approach to application security that is allowing large corporations to move forward with thousands of known software security vulnerabilities in their applications,” Wilson said.
This isn’t an EO — yet
Thursday’s strategy isn’t an executive order (EO). It is, rather, a policy document. Such cybersecurity strategies issued by the national government are nothing new. Over the past 20 years, every administration since that of George W. Bush has issued its own version.
However, the strategy espoused in the new document represents a marked departure from the norm, in that it calls for mandates on private industry — the companies in control of most of the nation’s digital infrastructure — instead of voluntary security risk management. The policy also calls for expanding the government’s power to take offensive action to pre-empt cyberattacks, especially from foreign powers.
That should come as no surprise. It’s already happening. In November, as The Hill reported, FBI Director Christopher Wray told lawmakers that the FBI conducts cyber offensive operations. Other U.S. agencies have also waged cyber operations against nation-state threat actors, including what Paul Nakasone, the head of U.S. Cyber Command, has described as “offensive, defensive, [and] information operations” to support Ukraine.
Tech industry, it’s time to step up to the plate
As Politico reports, an anonymous senior administration official said that the White House is working on an “implementation plan” that will be released in the coming months. The plan will be the blueprint for realizing the strategy’s goals, including building new regulatory tools over key sectors, providing resources to critical infrastructure groups that can’t afford to implement new requirements on their own and to shift more responsibility for cyber risk onto the tech industry.
The cybersecurity strategy seeks to “rebalance the responsibility for cyber risk to those who are most able to bear it,” Acting National Cyber Director Kemba Eneas Walden said in the CSIS briefing. “The biggest, most capable, and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.”
It’s about time, experts said. Contrast CISO David Lindner agreed with the policy’s position that vendors have been ignoring best practices: The document asserts that “Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance.”
That’s been status quo for too long, Lindner said: “Those of us in the technology sector have known this for a very long time. As of today, the average number of new Common Vulnerabilities and Exposures released per day in 2023 sits at 76.9 (per https://CVE.icu), and that doesn’t include the fact that on average a software application has 25 vulnerabilities in their custom code,” he said, referring to data from Contrast Security.
“I have longed for the day of regulation and accountability when it comes to the security of the software the world is producing, and at least in the U.S., it appears I will get my wish,” Lindner said.
The missing pieces
But while cybersec experts roundly lauded the new policy, at least one pointed out some missing pieces. Contrast Senior VP of Cyber Strategy Tom Kellermann said that while he’s “elated” to see the national strategy empowering law enforcement to finally take the gloves off, the policy is lacking mandates for software vendors to secure their code: a grave omission, given that “our current code base has cancer,” Kellermann said.
As well, Kellermann is looking for regulations on digital currencies and takedowns of digital currencies that are complicit in the cybercrime ecosystem. One example is monero, increasingly seen as the “cryptocurrency of choice for the world’s top ransomware criminals.”
Still, the policy is welcome news: “Cybercrime cartels and spies have been operating with relative impunity for decades. I commend the administration on mandating cybersecurity requirements for critical infrastructures,” Kellermann said. “This will enhance our defensive posture against systemic destructive attacks. These bold steps coupled with the unprecedented level of information sharing buttress our Nation’s national and economic security.”
Good news for enterprises
With regards to what the strategy means for enterprises, Kellermann said “critical infrastructures will finally have to comply with minimum cybersecurity requirements,” but that traditional enterprises will benefit the most from the administration’s efforts to secure the software supply chain.
“Specifically, the creation of a liability regime for software vendors which will inherently improve the security of software,” he explained.
As far as Kellermann’s comments about "taking the gloves off," he believes the strategy “has fangs.”
“The [National Security Agency (NSA)] and FBI will now disrupt and degrade the forums and the [command-and-control] of the cybercrime cartels,” he said. “This will force the adversary to play defense for once. Through SIGNET and proportionate cyberattacks Russia and Chinese cyberspies will be confronted. A reckoning has begun.”
Are YOUR apps safe?
It’s about time, said Contrast Chief Marketing Officer Tara Ryan. “A decade ago we started to worry about smart devices and IOT posing a security risk — one where your smart refrigerator could get hacked. Today we live on millions of applications, and exchange tremendous personal value from the digital experiences provided by the brands we love most.
“Are your apps running safe? If not, you better find out," Ryan urged consumers "Ask the brand that built them. We all live through applications — getting loans, paying bills, making health decisions and communicating with the people we love. Make sure the banks, healthcare providers and retailers you give your personal data to have built the app you use daily, safely and also make sure they can prove it to you."
Hackers today know all too well the vulnerabilities in the Software Development Lifecycle (SDLC), Ryan stressed, and they’re “excited” to exploit it, from the far left — as in, when software is still in development — and all the way to the right, through the production cycle when software with known vulnerabilities gets released to consumers.
“Sure, we all buy a car now knowing it, and we can get harmed in an accident, but in the same way we trust the brand to initiate a safety recall to protect their customer, shouldn't we expect the same from banks and more brands that ask us to drive our lives through their apps?” she asked.
“Governments are getting involved,” she said. The best brands are too. So should you. Demand secure apps.”