Cybersecurity executive order is a game changer but not a panacea
It’s been three months since President BidenJoe BidenFauci says school should be open 'full blast' five days a week in the fall Overnight Defense: Military sexual assault reform bill has votes to pass in Senate l First active duty service member arrested over Jan. 6 riot l Israeli troops attack Gaza Strip Immigration experts say GOP senators questioned DHS secretary with misleading chart MORE announced he was “launching an urgent initiative to improve our capability, readiness and resilience in cyberspace.” The latest ransomware attack on the Colonial Pipeline adding to the already stark evidence of the need for America to drastically rethink and retool our outdated software procurement processes. The red light has been flashing for years that our nation’s infrastructure is vulnerable to cyber exploits. To the president’s credit, the Executive Order on Improving the Nation’s Cybersecurity is a game changer, but it’s not a panacea.
The executive order took a necessary step toward addressing what the Cybersecurity and Infrastructure Security Agency (CISA) called “concentrated sources of cyber risk” to the nation’s critical infrastructure, namely security vulnerabilities in the software supply chain. Specifically, the lack of visibility into a list of software components — known as a Software Bill of Materials (SBOM) — makes it nearly impossible to uncover vulnerabilities that malicious actors seek to exploit. As the executive order states, “too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit.”
Take, for example, SolarWinds. This hack was due in part to the inability of the software purchaser — government entities and businesses — to adequately assess the security of software products. This lack of information about software vulnerabilities opened a dangerous door for bad actors to exploit in the digital infrastructure of America’s federal government, technology firms, and utility companies. As Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger noted regarding the government’s procurement of software, “we have no way to know the cybersecurity practices that were used in building … network management software or the level of risk we’re introducing to our networks by buying a particular software.”
Biden’s executive order provides a solution. It ensures that software companies selling to the federal government must “provide a [federal] purchaser an SBOM for each [software] product directly or by publishing it on a public website.” This SBOM requirement will be an invaluable tool for procurement officers managing cybersecurity and software supply chain risk and help developers and operators uncover vulnerabilities that hackers are targeting. Just as it is standard practice in the food, chemical and manufacturing industries to label products and provide a list of key ingredients to ensure safety and quality standards, software products will be required to do the same. This is important.
As every aspect of our lives has become more dependent on software, the importance of transparency and visibility into our nation’s software supply chain has increased. One only needs to look at long lines at gas stations and rising gas prices along the East Coast since the Colonial Pipeline attack, to see the tangible impact of insecure software on our lives. From the energy sector, to financial institutions, hospitals, transportation systems and our food supply — we depend on software to be secure. Even our cars have more than a 100 million lines of software code, requiring trusted security.
Additionally, the increasing pervasiveness of open-source software can add to the complex web of dependencies in the software supply chain. The average software application depends on more than 500 open source libraries and components. More than 90 percent of commercial software applications contain outdated or abandoned open source components. By requiring an SBOM, the executive order ensures federal agencies and critical infrastructure owners and operators can make informed procurement decisions — including replacing software with a history of security, performance, or reliability issues. And industry can quickly adapt using tools available today.
Certainly, by including an SBOM requirement in the executive order, Biden sent a message he is raising the cybersecurity bar for our nation and the current state of the insecurity of America’s software supply chain is unacceptable. But the order in and of itself is not a panacea, even with long-overdue game changers like the SBOM requirement. Nor is any other step in and of itself, but they are vital pieces.
The true test is whether, and the speed at which, the president and Congress can put together these pieces — like the executive order and Technology Modernization Fund’s prioritization of cybersecurity projects — in a comprehensive way. This includes adopting implementation measures and increasing investment in secure digital infrastructure, commensurate with today’s daunting cyberspace challenges.
Comprehensive action is essential to America’s safety and our way of life. It is a win that every member of Congress can take home and the president can tout: The cybersecurity of our nation’s government, businesses, and communities. Non-partisanship that protects America — now that’s a panacea.
Marjorie Dickman is chief government affairs and public policy officer at BlackBerry. She delivered remarks at this year’s B7 Digital Summit, urging the G7 nations to make cybersecurity a priority.
Gloss