ONCD report outlines path to enhanced cybersecurity through secure software and hardware practices

The U.S. Office of the National Cyber Director (ONCD) published a technical report built upon President Joe Biden’s National Cybersecurity Strategy in describing the urgent need to address undiscovered vulnerabilities that malicious actors can exploit. The report to reduce memory safety vulnerabilities at scale so that creators of software and hardware can better secure the building blocks of cyberspace. To establish accurate cybersecurity quality metrics, advances can be made to address the hard and complex research problem of software measurability. This report explores how such metrics can shift market forces to improve cybersecurity quality across the ecosystem.

The ONCD report complements other Biden-Harris Administration programs on secure-by-design and research and development efforts, including initiatives led by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and National Institute of Standards and Technology (NIST), among others. The government recognizes that these approaches must be done in partnership with the technical community, which is well-positioned to take meaningful action to secure us in this decisive decade.

Titled ‘Back to the Building Blocks: A Path Toward Secure and Measurable Software,’ the report focuses on the programming language as a primary building block, and explores hardware architecture and formal methods as complementary approaches to achieve similar outcomes. Also, to establish better cybersecurity quality metrics, the research community can address the hard and complex research problem of software measurability. The report explores how such metrics can shift market forces to improve cybersecurity quality across the ecosystem.

The report details that to anticipate other systemic risks to cyberspace, “we must develop better metrics that can help us determine the cybersecurity quality of our software. Many organizations face risk from their software because of a lack of information that would otherwise help reduce further vulnerabilities – either by stopping them before they occur, finding them before they are exploited, or reducing their impact.” 

However, creating such metrics is difficult because software is part of a dynamic and complex ecosystem, it added. 

“Thanks to the work of our ONCD team and some tremendous collaboration from the technical community and our public and private sector partners, the report released today outlines the threat and opportunity available to us as we move toward a future where software is memory-safe and secure by design,” Harry Coker, National Cyber Director, said in a recent media statement. “I’m also pleased that we are working with and calling on the academic community to help us solve another hard problem: how do we develop better diagnostics to measure cybersecurity quality? Addressing these challenges is imperative to ensuring we can secure our digital ecosystem long-term and protect the security of our Nation.”

Since the publication of the President’s National Cybersecurity Strategy, the Biden-Harris Administration has taken concrete steps toward achieving these two fundamental shifts. 

The National Cybersecurity Strategy Implementation Plan (NCSIP) puts forth a roadmap of detailed initiatives for the U.S. government to drive coordinated action. The National Cyber Workforce and Education Strategy (NCWES), the progeny of the Strategy, lays out a plan for employers to grow their cyber workforce and educators to expand access to cyber training. This report speaks directly to the technical community, including technology manufacturers and academic researchers, illustrating two ways their actions can make significant improvements to the Nation’s cybersecurity posture.

The document identified that to reduce the burden currently placed on end users to protect themselves from cybersecurity threats, efforts must be made to proactively eliminate entire categories of software vulnerabilities. 

It added that to better understand the prevalence of these categories, software manufacturers should consider publishing timely, complete, and consistent Common Vulnerability and Exposures (CVEs) data, including the Common Weakness Enumeration (CWE). Past analysis of CVE data identified memory safety bugs as one of the most pervasive classes of vulnerabilities that have plagued cyber defenders for decades.

By adopting an engineering-forward approach to policymaking, the ONCD is ensuring that the technical community’s expertise is reflected in how the federal government approaches these problems. Creators of software and hardware can have an outsized impact on the nation’s shared security by factoring cybersecurity outcomes into the manufacturing process.

The work on memory safety in the report complements interest from Congress on this topic. This includes the efforts of the U.S. Senate and House Appropriations Committees, who included directive report language requiring a briefing from ONCD on this issue in Fiscal Year 2023 appropriations legislation. 

Additionally, U.S. Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-MI) and U.S. Senator Ron Wyden (D-OR) have highlighted their legislative efforts on memory safety to ONCD.

Furthermore, the concepts in this report incorporate critical input received from leaders in the private sector, civil society, and academic communities. This includes public feedback from a Request for Information on Open-Source Software and Memory Safety from multiple nationwide technical workshops on Space Systems Cybersecurity.

In conclusion, the report said that the challenge of eliminating entire classes of software vulnerabilities is an urgent and complex problem. “Looking forward, new approaches must be taken to mitigate this risk. Doing so will allow the United States to continue its progress toward President Biden’s affirmative vision for a secure and resilient cyberspace. The technical community is critical to this progress. Through the adoption of memory-safe programming languages, creators of software and hardware can better secure the building blocks of cyberspace and proactively eliminate entire classes of bugs.” 

By rallying around the hard and complex problem of software measurability, the research community can develop better cybersecurity quality metrics to incentivize better decision-making by consumers, manufacturers, and policymakers across the ecosystem. These efforts will be bold, long-term endeavors that require sustained focus and prioritization. Now is the time to begin this work.

The road toward this vision requires a recognition that the Nation is at its best when Americans work together. It is a path that requires the convergence of government initiative, private sector innovation, and groundbreaking academic research. Working together to proactively eliminate software vulnerabilities alleviates the burden from those least equipped to bear it, and empowers front-line cyber defenders to look forward. Defining high-quality cybersecurity realigns incentives and provides confidence in what cyberspace can be.

Last September, the CISA published its Hardware Bill of Materials (HBOM) framework for Supply Chain Risk Management. This document introduces an HBOM framework that creates a consistent, replicable avenue for vendors to engage with purchasers about hardware components in their current or prospective product acquisitions. This framework equips purchasers with the means to thoroughly evaluate and mitigate risks within their supply chains

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.