US House Oversight Committee urges stronger software security, deterrence of foreign cyber attacks
The U.S. Subcommittee on Cybersecurity, Information Technology, and Government Innovation held a hearing on Wednesday addressing ways in which the nation can better ensure federal software systems are protected from attacks by hostile foreign nations and other threat hackers. Subcommittee members also explored the tools the federal government can use to prevent threat hackers from infiltrating federal software systems.
Titled ‘Safeguarding the Federal Software Supply Chain,’ the hearing outlined that the U.S. is critically dependent on software systems to carry out government processes and deliver services to U.S. taxpayers. “This dependency comes with a risk that vulnerabilities in software used by the federal government can be accessed by hostile threat actors to harm America.”
Jamil Jaffer, founder and executive director of the National Security Institute at the Antonin Scalia Law School at George Mason University, one of the witnesses at the hearing, highlighted the threat posed to the U.S. by software supply chain vulnerabilities: “When it comes to the threat scenarios, it is worth noting that the exploitation or compromise of our software supply chain not only has national security implications because of its use for potential espionage or the delivery of destructive malware, but also because of it continued use to expand the massive economic impact of nation-state-enabled IP theft.”
While numerous areas of the federal supply chain are at risk, the software supply chain in particular is difficult to safeguard due to layered and interconnected systems. The U.S. must do more to hold threat actors accountable.
“The United States faces a major challenge in securing digital technology. Over the last 35 years, it constructed a series of deeply interconnected industrial and technology supply chains with China, based on the assumption that China would become a trustworthy partner, making it safe to take advantage of the business opportunities China presented,” Dr. James Lewis, senior vice president and director of the Strategies Technologies Program at the Center for Strategic and International Studies, spoke to the specific cyber threats originating from China.
He added that at the time, “there was some truth to this, and companies in the United States and its allies made immense amounts of money, but ultimately it was a mistake. The United States and its allies have now learned that when it comes to cybersecurity and software supply chains, China is not trustworthy.”
Another witness, Roger Waldron, president of the Coalition for Government Procurement, discussed how the U.S. should prioritize buying commercial solutions where applicable as a way to better safeguard against untrustworthy foreign actors.
“Buying commercial allows the federal government to leverage commercial expertise and investments in security and functionality,” according to Waldron. “It also ensures that the government stays current with security solutions in a dynamic cyber-threat environment. As the federal cybersecurity framework continues to evolve and mature, maintaining long-held preferences for commercial items will mitigate risk, increase competition, and deliver functionality for the federal customer.”
Rep. Nancy Mace, Subcommittee chairwoman and a Republican from South Carolina queried whether the U.S. can and should draw redlines to deter enemy nations who conduct cyberwarfare against the U.S.
Jaffer agreed and said that he thinks “we need to make very clear our redlines in the cyber domain. Part of the challenge I think that we face in this domain is that we talk about our concerns, but we don’t actually effectuate them. We don’t talk about what are abilities are in the cyber domain, we don’t talk about what our redlines are, we don’t talk about what we would do if those redlines are actually crossed, and then worst, the world is seeing on the rare occasion that the U.S. established redlines, we don’t actually enforce them.”
Rep. Nick Langworthy, a Republican from New York, delved into the role that software bill of materials (SBOMs) could play in better procuring federal software systems.
“Yes, it is the right direction. The question is the execution on the contracting side and looking at developing some standard formats,” Waldron agreed. “The issue in federal procurement is that there is the federal acquisition regulation, agencies have all kinds of supplemental regulations when you start developing an SBOM and a format, you have got to talk to industry. Come up with a common nomenclature, understanding what is actually going to be reported as part of those ingredients…”
Langworthy then moved on to whether SBOMs could offer a viable solution for securing the federal software supply chain and additionally, what are some of the concerns or drawbacks associated with SBOMs as a potential solution.
“Well, a couple of things, SBOMs can certainly help but only if you use them for a good purpose. Once you know what’s in the software, people have to do something about it,” Jaffer said. “They have to actually design their software in a way that’s secure and resilient inherently and holding people accountable for that rather than what’s in your soup and what makes the soup good is important. The second thing is that by exposing everything that is a SBOM, it gives our adversaries information about what to go after.”
Commenting on the hearing, Chris Hughes, CISSP, chief security advisor at Endor Labs and Cyber Innovation Fellow at the Cybersecurity and Infrastructure Security Agency (CISA), wrote in an emailed statement that “while some of the questions raised around major updates, frequency and so one have some merit, it’s not accurate to say there’s a lack of framework and guidance around generating SBOMs or leveraging insights to bolster cybersecurity.”
He outlined that federal sources such as the NTIA and CISA have produced extensive documents discussing the potential value and use cases for SBOMs, from software identification and inventory to vulnerability management and incident response.
“There are also extensive proprietary and open source tools available to aid in generating SBOMs, especially in modernized cloud-native environments,” Hughes added. “That said, there is still much to be figured out within the ecosystem, such as frequency of delivery, depth of the SBOMs, and how to actually ingest, enrich, analyze, and report on the contents at scale, especially in large, complex environments comprised of both internal development teams and hundreds or thousands of external software suppliers.”
Hughes pointed out that SBOMs are not a panacea or silver bullet, but one aspect of broader sound software supply chain security efforts and recommendations. “There is also much to be matured with the quality of SBOMs, how to integrate them into cybersecurity risk management programs, activities such as ingestion, enrichment, analysis and reporting and integrating them into vulnerability management, procurement, and acquisitions.”
The CISA published this week its initial publication in the Secure by Design (SbD) Alert series, which focuses on malicious cyber activity against web management interfaces. It brings attention to how customers would be better shielded from malicious cyber activity targeting these systems if manufacturers implemented security best practices, eliminated repeat classes of vulnerabilities in their products, and aligned their work to SbD principles.
Related
