By Joseph Marks
The San Francisco skyline on Oct. 28, 2015. (Eric Risberg/AP)
Allan Friedman, who leads cybersecurity initiatives at the agency's National Telecommunications and Information Administration, thinks companies could make the entire technology ecosystem dramatically more secure just by publishing a record of all the software that goes into their products.
In other words, he wants every piece of technology in the United States to have a public “ingredients list.”
And just like ingredient lists at the grocery store help consumers make smarter decisions about what they eat, the equivalent in software will help companies make smarter decisions about what they buy and how they protect it, he told me. And he wants to convince companies he meets with at RSA that being more transparent about their software — which can be complicated for legal and competitive reasons — could actually help them improve the services or products they offer clients.
“This is about making it easier and cheaper for anyone across the ecosystem to be aware about what they’re using,” Friedman said.
The problem is there’s not much incentive for any individual company to start publishing these ingredient lists — which NTIA calls a “software bill of materials.” The benefit only comes when a lot of companies are publishing the lists and the entire software ecosystem is more transparent.
If government can convince companies it’s in their best interest to work together on software transparency — and help them figure out an efficient and standardized way to do it -- that will make a bigger difference than government trying to force a change, Friedman told me.
“In a world where no one is asking for this, people are not going to provide it, and in a world where there aren’t tools to do this, no one’s going to ask for it,” Friedman told me. “Rather than asking nicely for someone to get into the cold pool or go pushing people in the cold pool, government is helping people to hold hands and jump in together.”
The Software Bill of Materials project is the latest example of how the government is trying to fundamentally reshape how people and companies manage cybersecurity through conversations and consensus-building rather than mandates.
The Homeland Security Department, for example, is working with industry sectors on ways to identify the most insecure parts of their supply chains and to map out the most critical parts of U.S. digital infrastructure that require the greatest amount of protection.
NTIA also convened cybersecurity researchers and companies to talk about better ways to share information about newfound computer vulnerabilities. The Software Bill of Materials project itself grew out of an earlier government and industry collaboration focused on making the Internet ecosystem more resilient against armies of zombie computers known as botnets.
NTIA has been working since July with about 100 people who have a financial or policy interest in the Software Bill of Materials project, including cybersecurity researchers, academics and industry representatives from health care, financial services and other sectors.
Those participants have split into four working groups that are scheduled to release early findings this spring, Friedman told me — focused on the format the ingredients lists should take, what they should include, models that already exist and special considerations in the health-care sector.
During the RSA conference, Friedman wants to get more security companies engaged in the process.
He also wants to contact major companies that spend millions on software each year about how increased transparency will make their organizations more secure.
“I’ll be reaching out to as many folks as possible about how this is in their security interests,” he told me.
Once the ingredient lists are common, organizations will be able to use them in numerous ways, Friedman told me.
At the most basic level, they’ll be guideposts for cybersecurity researchers looking for hackable bugs inside major products. They’ll also help companies make smarter decisions about the software they buy — avoiding products that rely on overly complex supply chains or software from vendors that have gone out of business.
Some people could also build businesses out of the data, such as automated tools that tell companies how risky their software footprint is and ways to make it safer, Friedman said.
“The value is really going to emerge from all the tools and innovative business models that can leverage this data to understand risks as they emerge or even before they emerge,” he said.
The ingredient lists will also even the playing field between hackers and cyber defenders who often have less information about what software their companies are running than the attackers do, Friedman said.
“What we’re doing is giving the good guys ways to defend themselves because the bad guys already have this information,” he said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
A Surface Laptop computer at Microsoft's main campus in Redmond, Wash., on April 20, 2017. (Mike Kane/Bloomberg News)
“They’ve proved it’s not a pipeline issue by having a much better speaker lineup this year,” Lea Kissner, chief privacy officer for the data start-up Humu, told the Chronicle. Sandra Toms, the chief organizer of RSA, said conference sponsors proposed mostly male names for keynotes again this year, but she told them to come back with a more diverse list, the Chronicle reported.
“Also new this year is a half-day training to help women become more effective public speakers and find the confidence to apply for keynote opportunities,” the Chronicle reported.
Sen. Marco Rubio (R-Fla.) in Washington on Feb. 11. (Carolyn Kaster/AP)
Warner and Rubio said the Senate Intelligence Committee over the past year “has heard anecdotal concerns that China is attempting to exert pressure or political influence” on those organizations. “Not only does political influence undermine fair competition, it also raises serious economic and security concerns for 5G and future generations of wireless technologies,” the senators said in the letter. U.S. officials have sought to persuade foreign allies not to allow Chinese telecommunications company Huawei to build their 5G networks, citing concerns about potential Chinese spying.
A man walks along a street in Pyongyang, North Korea, on Feb. 15. (Ed Jones/AFP/Getty Images)
McAfee also found that a North Korea-linked cyber espionage campaign uncovered last year lasted longer and targeted more organizations than initially thought. Hackers from the Lazarus Group started their espionage campaign — called Operation Sharpshooter — as early as September 2017 rather than in 2018 and targeted more than the 80 organizations McAfee originally identified, according to a news release. The hacking group's current targets are located largely in the United States, Britain, Germany and Turkey, McAfee said.
Lazarus Group “primarily leveraged spearphishing emails, masked as extremely convincing job recruitments, to gain access to systems,” McAfee reported. That’s “an ordinary and unadvanced technique” that nevertheless “was still wildly successful in enabling Lazarus to breach major organizations,” the report states.
The Washington Monument in Washington on Jan. 28. (Mandel Ngan/AFP/Getty Images)
— Rep. Mike D. Rogers (R-Ala.), the ranking Republican on the House Homeland Security Committee, said that the legislative and executive branches have not “been able to get ahead of” cybersecurity threats, according to Inside Cybersecurity's Maggie Miller.
— More cybersecurity news from the public sector:
Cisco Systems chief executive Chuck Robbins at the Mobile World Congress (MWC) in Barcelona on Feb. 27. (Pau Barrena/AFP/Getty Images)
— More cybersecurity news from the private sector:
German Chancellor Angela Merkel in Berlin on Feb. 19. (Markus Schreiber/AP)
— More cybersecurity news from abroad:
— Jeremy Burge, founder of Emojipedia and creator of World Emoji Day, tweeted that the phone number that people use on Facebook for two-factor authentication can now be searched within the social network, prompting privacy concerns.
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that. pic.twitter.com/zpYhuwADMS— Jeremy Burge 🐥🧿 (@jeremyburge) March 1, 2019
Yep. I can no longer keep keep private the phone number that I PROVIDED ONLY FOR SECURITY to Facebook. ZERO notification of this major, risky change. For years I urged dissidents at risk to use 2FA on Facebook. They were afraid of this. @Facebook doesn't care about their safety. pic.twitter.com/lW8wjBJlfz— zeynep tufekci (@zeynep) March 3, 2019
This is why I’ve been warning about the potential privacy downsides of their plan to integrate messaging on Instagram, WhatsApp and Facebook. Zuckerberg says they’re doing it to bring encryption across services. But it will ultimately allow Facebook to connect your identities.— Sarah Frier (@sarahfrier) March 3, 2019
This is a perfect privacy example of a lack of respect for the context in which information is collected https://t.co/Q8un4urWze— Girard Kelly (@girardkelly) March 3, 2019
- RSA Conference in San Francisco through Friday.
- The Center for Strategic and International Studies holds an event on “digital governance and the pursuit of technological leadership.”
- The Woodrow Wilson Center holds a discussion on China and 5G.
- Senate Permanent Subcommittee on Investigations hearing on data breaches in the private sector on Thursday.
- The Brookings Institution holds a discussion on “How to improve cybersecurity career and technical education” on March 13.
Trump's 2019 CPAC address, in 3 minutes:
Deadly tornados hit the Deep South:
Phillies welcome Bryce Harper:
Source: The Washington Post