Software vendors will be obliged to promptly notify their US federal government customers in the event of any security breach, a draft executive order from President Joe Biden’s administration proposes.
The order – which follows the high impact SolarWinds breach late last year – would also mandate the use of multi-factor authentication and data encryption within US federal agencies, Reuters reports.
In addition, the order would compel vendors to retain more records and work with the Cybersecurity and Infrastructure Security Agency (CISA) in responding to incidents.
In essence, the Biden administration is seeking to leverage the enormous buying power of the US federal government in order to produce changes in software vulnerability disclosure practices that will affect the whole industry.
Industry experts canvassed by The Daily Swig broadly supported the proposals, which remain in draft but could be introduced as early as this week.
SolarWinds blow
Morgan Wright, chief security advisor at SentinelOne, and a former US State Department special advisor, said the issue of mandatory breach reporting surfaced during recent Senate hearings on SolarWinds.
The concept of notifying the government when a breach occurs was generally supported by companies (including SolarWinds, Microsoft, and FireEye) testifying a recent US Senate Select Intelligence Committee hearing, but not without concerns about whether this might create a difficult-to-manage administrative tangle, according to Wright.
Wright explained: “The key issue was liability. Government contracts go into excruciating detail about liability, and to impose an executive order without clearly spelling out how every contract will be modified to limit or prevent liability will be an acquisition and procurement nightmare.”
“In theory, more transparency and disclosure [are both] needed to improve the cybersecurity posture of the federal government. In reality, this will become a bureaucratic nightmare,” Wright concluded.
Immature security
Austin Berglas, global head of professional services at cybersecurity services company BlueVoyant, said organizations need to get better at detecting breaches for any stricter disclosure regime to work.
“Requiring organizations to report breaches to federal government customers will rely heavily on the maturity of the vendor’s security,” Berglas, a former assistant special agent in charge of cyber investigations at the FBI’s New York office, told The Daily Swig.
“In order for an organization to report a breach in a timely matter, that organization needs to have the appropriate visibility to detect an intrusion.”
Preservation of digital records, implementing multi-factor authentication, and proper utilization of encryption are all standard cybersecurity hygiene recommendations seen in numerous frameworks and guidance.
The Biden administration is taking steps to secure supply chains after the SolarWinds breach
It is commonplace to find organizations with hundreds of vendors in their supply chain, and the biggest challenge will come from “identifying ways that the government can help immature vendors attain and maintain the basic cybersecurity standards”, according to Berglas.
“Not only do companies have limited resources to assess the security of all the vendors in their supply chain, worse, they are still using questionnaires to assess security posture instead of using technology to identify external risks to the chain,” Berglas argued.
“The proposed standards are all solid improvements which would enhance the overall security of the supply chain, but the true task [is] in finding ways to enable and empower the most immature organizations with the ability and resources to meet those requirements.”
Legacy risks
In cases where vendors are asked to support (outdated) legacy systems, vulnerable IT infrastructures are hardly the fault of the services and software providers.
“Many systems inside government are so antiquated that contracts are let on a regular basis looking for support of software that has not been officially supported for years,” according to SentinelOne’s Wright.
Modern software is a combination of proprietary code and open source components. This means software security and guarding against supply chain attacks becomes an issue of safeguarding an entire ecosystem.
“The days of software being created exclusively within the proverbial four walls of a commercial software vendor are long gone,” said Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center).
Technical debt
James Christiansen, vice president of security transformation at Netskope, said that better communication around software vulnerabilities is “warranted and essential”, while noting that the government regulations can only go so far in addressing an endemic problem.
“While this action is a step in the right direction for the government sector, we also need to think about what happens in the private sector,” according to Christiansen.
“It’s not surprising to see this executive order formalise the requirements for information sharing by software vendors while also including authentication and encryption measures, but for data protection to be effective, it needs to encompass multiple environments reaching far beyond encryption.”
When quizzed by The Daily Swig the proposed regulations were generally seen by those in the industry as solid improvements which would enhance the overall security of supply chains – though several cautioned not to expect miracles.
SentinelOne’s Wright warned: ”None of these proposed remedies will stop every software supply chain attack. By the time software arrives at the government, as in SolarWinds, the attack had already occurred against the supplier.”