CISA, DHS eye open source software use in critical infrastructure

The Cybersecurity and Infrastructure Security Agency is gearing up efforts to improve transparency and visibility in software and technology supply chains this year, with various efforts snowballing toward what the agency’s leader calls “cyber safety.”

CISA and the Department of Homeland Security’s Science and Technology Directorate, for instance, are sketching out projects to dig into the use of open source software in critical infrastructure sectors, Allan Friedman, CISA senior advisor and strategist, said at a Jan. 10 event at the Center for Strategic and International Studies sponsored by GitHub.

“One thing that we’re interested here at CISA is, what are the pieces that are particularly relevant to critical infrastructure?” Friedman said. “A lot of the great work that’s happened is focused on data for modern applications. That’s where the data is. And so we’re looking and trying to plan some research projects with our colleagues at DHS S&T to sort of say, ‘What’s unique?’”

The Biden administration has focused on increasing the security and sustainability of open source software, which underpins many commercial technology products and services. Last January, the White House hosted an open source summit with representatives from agencies, big technology corporations and open source software foundations.

Friedman said while most open source activities are occurring outside of agency confines, the government can step in in areas where “massive resources aren’t available today,” like with critical infrastructure.

“So understanding, what are the massive public goods where government is needed to both write checks and help coordinate, is going to be a key part moving forward and advancing the agenda to support open source and support sustainability,” Friedman said.

Open source software is just one piece of the Biden administration’s focus on cybersecurity. CISA Director Jen Easterly used her panel discussion at the Consumer Electronics Show in Las Vegas, Nevada, last week to raise a red flag about “decades of insecure technology design.”

“We don’t seem to be recognizing that as a fundamental safety issue,” Easterly said. “We’ve somehow accepted that the incentives are all aligned towards cost, capability, performance, speed to market and not safety. And we’ve accepted that software is developed with all kinds of vulnerabilities and flaws.”

She cited the need for a “different approach,” with government and industry taking shared responsibility for “cyber safety.”

“That’s what we’re trying to do at CISA, as America’s cyber defense agency, is take a different approach to sustainable cybersecurity, which essentially is about technology companies that are creating technology that is secure by design and secure by default,” Easterly said.

Agencies are intimately involved in efforts geared toward increasing visibility in the software and technology industry. Friedman and his team at CISA are coordinating efforts to bring the Software Bill of Materials concept into wider use, while the White House is expected to roll out a national cybersecurity labeling program for some Internet-connected devices this spring.

Friedman offered the need for initiatives that take into account different perspectives and motivations across the global technology ecosystem, where leading tech vendors often build their proprietary products with a patchwork of open source code maintained by developers from across the world.

“In large companies, we’ve been thinking about supply chains, and of course in the U.S. government, we’re now focused on, where does the stuff we use come from? Because we need to understand the risk,” Friedman said. “But it’s important to remember that for a large portion of the ecosystem that we care about, that perspective is not shared. And so as we build out policies, we need to focus on that.”

He cited “visibility” as the “absolutely necessary piece,” and cited recent efforts to protect against software memory safety issues, which are estimated to account for around 70% of the vulnerabilities at Google and Microsoft, respectively.

But as CISA and other agencies continue to dig into technology vulnerabilities, Friedman warned that peeling back the curtain will reveal some uncomfortable findings.

“It’s important to acknowledge that we should expect it to get worse before it gets better, or rather, greater visibility into different types of risks means that we’re going to see more risks,” Friedman said. “That doesn’t mean the problem is getting worse. That means that we are in a better position to understand what the risks are, and how we collectively can deal with them.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.