The Empire Steps Up
Secure By Design, Secure By Default, Pt.
1
As readers of this blog know well, it has been my contention for many years that eventually governments will have no choice but to regulate the production and application of computer technology. My assumption has always been that the regulation of public utilities done by local, state, and federal agencies would serve as the model for any such future regulation of IT. The Biden Administration, through CISA, has adopted a different model of government regulation of IT products. Adopting the model of automotive production regulation, CISA has launched a new cyber initiative called "Secure by Design, Secure by Default." This regulatory framework is well laid out in several publications, all of which are available at the Secure by Design, Secure by Default website.
The initiative noted above was introduced in an address to Carnegie Mellon University, by CISA Director, Jen Easterly, February 27, 2023. A complete transcript of the speech can be had here. Readers of The Dispatches may recall that Carnegie Mellon University is where the CVE naming system for IT product vulnerabilities had its origin. And, as Director Easterly, pointed out in her speech, CMU also brought the world the The Curse of the CAPTCHA. All things have their Ying and Yang, so says Confusions. Nevertheless, it was an apt venue for what followed.
In her address, Easterly describes well what I too think is a root cause for our modern culture's inability to truly address any of our myriad of systemic failures. What once would have been considered aberrant and unacceptable behavior by individuals and unacceptable standards of nonperformance by various entities, are now seen as a norms.
This pattern of ignoring increasingly severe problems is an example of the “normalization of deviance,” a theory advanced by sociologist Diane Vaughan in her book about the ill-fated decision to launch the space shuttle Challenger in 1986. Vaughan describes an environment in which “people become so accustomed to a deviant behavior that they don't consider it as deviant, despite the fact that they far exceed their own rules for elementary safety."
Easterly frames the argument within the context of the Technology Industry. And makes the case with undeniable facts.
We’ve normalized the fact that technology products are released
to market with dozens, hundreds, or thousands of defects, when such poor
construction would be unacceptable in any other critical field.
We’ve normalized the fact that the cybersecurity burden is placed
disproportionately on the shoulders of consumers and small
organizations, who are often least aware of the threat and least capable
of protecting themselves.
We’ve normalized the fact that
security is relegated to the “IT people” in smaller organizations or to
a Chief Information Security Officer in enterprises, but few have the
resources, influence, or accountability to incentivize adoption of
products in which safety is appropriately prioritized against cost,
speed to market, and features.
And we’ve normalized the fact
that most intrusions and cyber threats are never reported to the
government or shared with potentially targeted organizations, allowing
our adversaries to re-use the same techniques to compromise countless
other organizations, often using the same infrastructure.
Effective new legal initiatives build on already accepted legal practices. Director Easterly uses the automotive parts industry as the foundation for this new initiative to compel the producers of IT products to build products that are not broken or unfinished, but nonetheless still released to the distribution chain.
The government can also play a role in shifting liability onto those entities that fail to live up to the duty of care they owe their customers. Returning to the automotive analogy: the liability for defective auto parts now generally rests with the producer that introduced the defect even if an error by the driver caused the defect to manifest. This was reflected in class action litigation against the Takata Corporation, where the company’s defective airbags tragically caused over 30 deaths after often minor collisions. Consumers and businesses alike expect that products purchased from a reputable provider will work the way they are supposed to and not introduce inordinate risk. To this end, government can work to advance legislation to prevent technology manufacturers from disclaiming liability by contract, establishing higher standards of care for software in specific critical infrastructure entities, and driving the development of a safe harbor framework to shield from liability companies that securely develop and maintain their software products and services.
And then she proceeds to take a swipe at all of us Propellers Heads who consider the current ritual of software updating to be a Blessing, and not a Curse. In fact, she is correct here. Patching is acquiescence to failure. No where near as expensive; but, one way or another, all us computer users pay the ransom on a daily basis, so says Confusions.
While it will not be possible to prevent all software vulnerabilities, the fact that we’ve accepted a monthly “Patch Tuesday” as normal is further evidence of our willingness to operate dangerously at the accident boundary.
Central to the effort here is enforcing transparency at all points in the IT supply chain. Easterly offers the example of Dropbox, that since 2019, requires all its "vendors and their employees to use MFA, allowing Dropbox to perform security testing of the vendors’ systems, and requiring vendors to publish vulnerability disclosure policies with legal safe harbor. They even open-sourced their contract requirements so that other organizations could adopt and modify them."
Towards this end, CISA has proposed a "Software Bill of Materials" that would serve as the foundation for building more secure products in the future.
At CISA, we’ve been working through ways that we can support radical transparency in technology software in products. For example, we’re focused on advancing the use of Software Bill of Materials, or “SBOMs,” the idea that software should come with an inventory of open-source components and other code dependencies. Effective use of an SBOM can help an organization understand whether a given vulnerability affects software being used in their assets and provide greater confidence in a manufacturer’s software development practices.
Step 1 here, says Easterly, is to ban the C/C++ programming languages, in which so much of our current software is written. She wants to see the teaching of C based computer programming languages replaced with Python as the foundational programming knowledge set for new programming students. Of course, that does nothing to help all of us ransomees right now.
Uncle Sam, however, is simply playing catch up where to where the European Union already is. A Secure By Design future, is the goal of the seven of the world's largest economies.
Click Through, Brothers and Sisters.
¯\_(ツ)_/¯
Gerald Reiff