Chris Inglis said the government is setting a new bar for supply chain security as the national cybersecurity focus shifts from incident response to cyber resilience.
Software development teams are going to be held to a higher standard for securing their software, as the federal government shifts its focus from incident response to cyber resilience, say two senior White House cybersecurity officials.
Spurred on by President Biden’s Executive Order for Improving the Nation’s Cybersecurity, the U.S. government is transitioning quickly from focusing on incident response to cyber resilience, National Cyber Director Chris Inglis told a gathering of policy experts at an event hosted by the Center for Strategic and International Studies (CSIS), a Washington D.C. think tank.
Here are the key takeaways from the event.
No more ‘losing slowly’
Citing the crisis caused by the disclosure of a critical, remotely exploitable hole in the Log4j open source library, Inglis said the government’s aim now was to prevent future Log4j’s from happening.
“A year ago, the unrelenting focus oftentimes was on operational response,” Inglis said about the federal government’s cyber policy. The federal response to Log4j went “extremely well. [But] if we responded that way well, excellently, time, after time, after time, we’d just lose more slowly.”
—Chris Inglis, National Cyber Director
The focus of the federal government now is to “actually push responsibility for building resilience in by design to the technology, to the roles and responsibilities, and to the people skills, such that we avoid those (Log4j) events,” he said.
Inglis was interviewed alongside Anne Neuberger, who is Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technologies at the National Security Council.
The two talked up the government’s efforts that promote companies to improve the security of their technology, in part by adopting a “secure by design” approach. President Biden’s May, 2021 Executive Order 14028 set the course, Inglis said.
“Executive Order 14028… has been a watershed moment for us to actually make the commitment, to get the technology, the architecture right."
Likening the work of the White House to past government programs to regulate the safety and security of transportation systems, Inglis said that the preferred approach was to have a “light touch” when it came to mandating security measures, and to allow market forces to drive change — as happened with automobile safety features.
But that will mean putting responsibility for security squarely in the lap of technology providers and their suppliers and partners, and making it clear that end users are not the responsible parties, Ingles said.
“Everyone agrees, I think, that the first and last line of defense can’t be the user at the end of that supply chain. We have to push some responsibility along that supply chain."
View the conversation on YouTube.
Security labeling, anyone?
Neuberger said that the recently introduced Internet of Things security labeling guidelines, which will come out in 2023, are part of that shift of responsibility from end users to technology providers.
"When someone is making a purchase decision for tech, whether a consumer buying a smart TV or a power grid operator buying an unmanned sensor, they have no way to know what is the security of this device and what risk does it bring to me."
—Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies at the NSC
While “regulation” has long been treated as a four letter word in Washington D.C., Inglis and Neuberger didn’t rule it out, especially in the context of securing critical infrastructure like energy and transportation.
Still, Inglis said that private sector firms were warning to the idea of designing resilience into their products and systems.
“When you talk to the private sector leaders, both the technologists and the committing officials, perhaps, from the boardrooms, they acknowledge that resilience has to be by design built into the systems that they deliver."
Evolving guidance on supply chain security
Since taking office, the Biden Administration has used the purchasing power of the federal government to try to shape a federal software supply chain security policy. In addition to the Executive Order in 2021, the Administration has, in recent months, issued a number of directives designed to improve the security of the software and services government agencies rely on.
In September, for example, the Office of Management and Budget published a memorandum, M-22-18, that requires federal agencies to comply with NIST guidance on software supply chain security, including NIST Special Publication 800-218 on developing a secure software development framework and subsequent NIST guidance on software supply chain security.
The memo also set out a timeline for federal agencies to communicate new software security requirements to their vendors, and for software publishers that sell to federal agencies to self-attest to the security of their wares. That deadline is 270 days from the release of the memo for vendors who sell “critical” software and services to federal agencies. Vendors selling non-critical software have a year to attest to the security of their wares.
SBOMs are the first, essential step
The memo has also opened the door to federal agencies requiring the creation of Software Bills of Materials (SBOMs) that allow them to identify, track and monitor individual components within larger applications and services. The new White House memo does not require software publishers to use — or federal agencies to require — the creation of an SBOM to validate their attestation. However, the language in the memo makes clear that an SBOM “may be required” by an agency as part of solicitation requirements, especially for software deemed “critical.”
Inglis said the new guidance is helping to set "expectations across the length and breadth of the supply chain."
"It doesn’t relieve the burden on the end user to participate in his or her own defense...[But] we need to push some of that accountability across the system so that the beneficiaries, the maximum number of beneficiaries can profit from the benefits of cyberspace."