Image: © AFP/File
With President Biden’s upcoming U.S. National Cybersecurity Strategy looming and CISA director Jen Easterly urging software liability, the U.S. cybersecurity posture appears poised to shift, especially in relation to controls around the development and operation of computer software.
In terms of the direction future policy will take, this is open to speculation. However, the signal from the strategy means that this may include a move toward mandatory regulation for critical infrastructure.
Considering what the strategy means is Jon Geater, Chief Product and Technology Officer at RKVST, a provider of supply chain integrity. Geater explains to Digital Journal that identifying the origin of any security issues is key.
As Geater explains: “Holding vendors liable for software insecurity is a laudable goal and very likely to motivate action: comparisons are often made between building software and building bridges, and we long ago found ways of holding engineering companies accountable for failings if the bridge they build turns out to be unsafe.”
The situation has its complexities, however. As Geater states: “The devil’s in the details here. You can’t assess liability without finding fault, and even if we can define what “insecurity” means – which is an entire Ph.D. category in itself – we still need to identify where the insecurity originated.”
The types of essential questions are: “Whose mistake led to hackers getting in? Whose negligence let that buggy software out into the world? Who authorized that particular open source package to be used for this use case?”
When considerations are extended to software, the complications deepen (as is apparent from the Biden Administration document).
Here Geater observes: “In the case of a software breach there will be lots of moving parts with software, data, and security operations all at play, and right now it’s really hard to know where the critical failure originated because people don’t authenticate data, don’t track software provenance, and don’t record the who-did-what-when of releasing today’s complex software into the world.”
As to what the options are, Geater advises: “In order to successfully move forward in holding software suppliers accountable we need to make sure that the whole software and data supply chain are traceable and provable in order to efficiently demonstrate fault and bring issues to a conclusion quickly.”
Geater concludes recommending: “Initiatives such as Internet Engineering Task Force’s SCITT are bringing this essential capability to the world.” This is a reference to ‘Supply Chain Integrity, Transparency, and Trust’.
SCITT supports the ongoing verification of goods and services where the authenticity of entities, evidence, policy, and artifacts can be assured and the actions of entities can be guaranteed to be authorized, non-repudiable, immutable, and auditable.