The increasing importance of cybersecurity was underlined in President Biden’s of May 12, 2021. This focus has been reiterated, and even more emphatically described in the context of the Russian invasion of Ukraine.
A surprising conclusion from these governmental missives is that in the high-tech world of cybersecurity, the core challenge is not advanced cryptological methods nor quantum computing, but simply implementing known best practices in the real world.
I’ll bet you never thought you’d see a president issue an executive order describing how to handle logging, but that day has come. Let’s take a look at what the highest levels of government are calling for in cybersecurity.
Act Now to Protect Against Potential Cyberattacks
The White House issued a Fact Sheet on March 21, 2022 containing a summary of cyber security actions, called Act Now to Protect Against Potential Cyberattacks. This document begins by highlighting the danger posed by Russia-based threat actors, referring to live intelligence indicating these threats are very real. Indeed, this warning seems to be coming true.
The fact sheet describes the efforts to harden critical infrastructure like water and gas and to unify the international community in combating cybercrime like ransomware. It then goes on to acknowledge that the preponderance of critical infrastructure in the US is “ owned and operated by the private sector,” rather than government. It directs people to CISA’s Shield’s Up page, a kind of clearinghouse of information on mitigating cyberattacks. Finally, it undertakes to outline the steps organizations should take.
The suggestions range from the specific, like using multi-factor authentication, to the near-philosophical, like making security something you “bake in, not bolt on.” The overall message on the practical side is admirably comprehensible and approachable, especially when you consider the collision of bureaucracy and technology. Its recommendations could be summarized as:
- Usa MFA
- Use up-to-date antivirus software
- Keep in touch with your security people
- Change passwords frequently
- Back-up data to offline
- Practice emergency drills
- Encrypt your data
- Educate employees about common attack tactics and symptoms
- And finally, engage with the FBI or CISA before an attack occurs so a relationship is already there
Then the document shifts into the more theoretical. To begin with, as I mentioned earlier, we should “bake in” security. This is sensible advice I suppose, meaning for those of us who are developing systems to keep security in mind all along the way, instead of trying to add it in at the end. Something like the security version of Aristotle’s old edict.
Bearing security in mind at all times rings true, as it inspires us to think about what the security implications are as we are making changes. On the other hand, it has something of a resemblance to the old premature performance optimization debate. We’re not going to wade into that here (or the test-driven development debate, or any other similar one). I just want to point out that software development is latent with complexity and obstacles to action. Security considerations must be harmonized into the equation.
The next bullet point in the fact sheet makes the following statement: “Develop software only on a system that is highly secure and accessible only to those actually working on a particular project.” This one makes the reader pause for a moment. It seems to have arrived at the conclusion that in order to build secure systems, we should build secure systems. If we are patient, the next sentence helps deliver the full meaning: “This will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.”
What the framers of this fact sheet are driving at here is actually something like a rephrasing of zero trust architecture. Only allow access to those resources that are strictly required by people to accomplish their legitimate tasks.
The next item on the hit list is a call for software developers to use modern tools to check for vulnerabilities. By this is meant tools like GitGuardian and CodeScan as well as DepandaBot and WhiteSource. Not surprisingly, there is a focus on open-source software components. It’s easy to see why: OSS is used intensively and its very nature makes it available to attackers for research and exploitation. One of CISA’s core requirements for government software is that all open-source components pass its security tests.
“Software developers are responsible for all code used in their products, including open-source code,” says the fact sheet. This is quite a statement. Is a developer responsible for the vulnerabilities on the systems they deploy on? What exactly does “responsible” mean here? Ethically? Functionally? It’s a door that is potentially wide open. The probable meaning is just to reinforce the need to know what components are going into a system, instead of simply Googling for the task at hand, and installing it from NPM or Maven or whatever repo is handy.
Improving our Nation’s Cybersecurity
Up to this point, the fact sheet is rather manageable. It concludes with a final bullet, however, directing the reader to take up the president’s Improving our Nation’s Cybersecurity executive order, a document designed to rearchitect the cyber ship of state. The ideas therein are now required by law for software used in government systems and recommended for others. It is downright sprawling, jumping from institutional mandates directing the DHS to collaborate with the OMB in sharing information with the FBI, to hands-on guidance on how logs are to be stored.
Although the effort to secure such a vast ecosystem of public and private sector systems is monumental, especially in the face of motivated and well-funded nation-state actors, the basic drift of getting the cybersecurity house in order comes through loud and clear.
It should be acknowledged that even in discussing technology topics the order remains even-handed, knowledgeable without becoming bogged down in detail. It recognizes the new reality of cloud-based infrastructure and the need to collaborate with providers in both securing systems and sharing information.
A vision of public-private partnership
The order also explicitly highlights that truly improving national cybersecurity demands a collaboration not just of government organizations tasked with the job, but between government and business—a partnership of the public and private sectors is envisioned.
The EO exhorts that “the Federal Government must lead by example.” In that vision is included both all software used by the federal government (by requirement) and all software in general (by recommendation). This of course adds another layer of complexity to the effort. Not just mobilizing the government’s cybersecurity apparatus, but encouraging business to do so, with all the perils that entails.
In particular, it reveals the demand for not just the ability to navigate two tricky paths, bureaucracy and technology, but a third, the corporate world.
A hopeful sign
The order is unafraid to dive into the technology deep end and wade in the alphabet soup. The following section reads as though it could have been written by a software CTO.
“The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
It’s heartening to see the fluency with which the order moves from the governmental realm to the technological. It appears that the bureaucrats and politicians are, at the high-level at least, successfully coordinating with the technologists. The theory looks good. It remains to be seen how the ongoing implementation of these sensible ideas will go in practice.
Copyright © 2022 IDG Communications, Inc.