Does Biden’s cybersecurity order go far enough?

The Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028) implements a set of requirements for operations and procurement. At its core is a set of information sharing requirements distributed across nine primary goals. The combination of these objectives offers the potential to create a functional, transparent market for security out of the long-standing morass of unsubstantiated claims, unknown code, and information symmetry (first identified in the crypto snake oil FAQ in 1998). These requirements align with extant incentives for individuals and organizations to invest more intensely in security. EO 14028 offers the potential not only for a more secure American supply chain, but also continued cybersecurity protection and a contribution to growth in smart manufacturing in which the whole is greater than the sum of the parts.

The EO requires the creation and publication of additional information that has long been needed to create a secure supply chain—yet these will only provide the data substrate on which a secure foundation can be built. Translating that data into actionable information for decision support requires integrating human factors in its presentation. With the ability to differentiate their products, developers will have the incentive to invest in more secure, higher quality products.

Data-driven decision-making long has been a challenge, particularly in acquisition. The Executive Order requires information that can be made at or before the moment of purchase and during operation. At the moment of purchase, a software manufacturer should be able to produce attestations of best practices in development environments, provenance of software, and identification of software components. In addition, there is a requirement for the National Institute of Standards and Technology to develop an accessible and acceptable labeling system that communicates the security implications of such attestations for the less technically expert consumer.

Optimists assume that all the related services will emerge in the marketplace, while critics worry that none of the potential supporting innovations will come to exist. There is reason for confidence that industry is building on the data foundation. For example, RSA, the recent international commercial security conference, saw a proliferation of offerings to secure the supply chain, with many vendors directly referencing components of the Executive Order.

The most basic conclusion is that the information required by the Executive Order will enable analysis, but neither provide it nor ensure its quality. The sheer amount of information available requires that such information be evaluated using a combination of human and artificial intelligence, with the presentation of the information to the human analysts being critical. The increase in information availability creates the potential for improvements in current data analytics. Sharing the information opens opportunities for new entrants who could currently be locked out of the market from lack of data,  and lack of competition allows organizations with dangerous practices to thrive.

The existence of analysis and artificial intelligence is no guarantee of protection. For example, SolarWinds offered—and continues to offer—AI-enabled risk analysis of malicious logins. The attackers who used SolarWinds to attack 18,000 of its customers were able to determine that the only variable which the AI checked was the geographic location of the login request. Thus the attackers were clear to login, confident that they would not be identified as malicious. As observers as well as attackers, the insertion of code was a year-long exercise optimized to be ignored. In fact, the suspicious login was noted by FireEye, not discovered by SolarWinds. As we consider the role of AI and models of attackers, note the attackers’ interest in FireEye was focused on the tools used to identify attackers (i.e., Red Team tools).

The labeling, code quality information, and requirements for disclosure of incidents with the corresponding ability to track use of vulnerabilities create the data to enable effective risk identification, communication, and mitigation. An entire ecosystem is required for the result to be a secure infrastructure. The prerequisites for a secure ecosystem include the Software Bill of Materials, mandated reporting, and requirements for labels. These are all necessary but not sufficient to create a functioning market that empowers consumers to choose risk-averse options.

The disclosure of incidents will enable a more robust and accurate cyberinsurance market. Knowledge of the nature and rate of incidents will provide risk distributions for insurance and re-insurance companies to increase their cyberinsurance underwriting in a sustainable, actuarially sound manner. Knowledge of correlated risks across the entire landscape of incidents creates the possibility of developing diverse loss portfolios among firms, technologies, and attacks.

The Executive Order addresses the information asymmetries central to the security market: that the high-quality, secure components are indistinguishable from the worst at the time of purchase; which parties can update code during operation is opaque to operators; the vulnerabilities embedded in the code are unknown; and the likelihood that any of these would be used by attackers is unknown. After resolving these components of the current lemons market for security, all the other heuristics that undermine risk-aware decision-making in other domains will exist. But until these are addressed, risk mitigation will be indistinguishable from magic or pure chance for most.

The creation of a software labeling program by the National Institute for Standards and Technology can inform purchasing decisions at the consumer level. The current single label based on the Energy Star model is an excellent first step. Yet this is not a final design. Like other complex products, such as pharmaceuticals and hazardous industrial products, there is a need for warning systems for different contexts and uses. The Energy Star label provides the information needed for purchasers, particularly less technical consumers, just as warning stickers identify risk of accelerants. Also, like physical materials, the existence of simple icons for flammable and radioactive materials does not negate the need for material safety data sheets; a five star ranking does not solve all requirements for risk communication.

The Software Bill of Materials (SBOM) provides the more nuanced data transparency beyond labels. SBOM data lists all the components of a software product, and with this operators can know the previously disclosed vulnerabilities embedded in the code. The Bill of Materials is a data substrate that can be mapped with vulnerabilities, dependencies, and additional data for identification of which parties are authorized to update code. SBOM does not resolve these operational questions as nutritional labels do not address the medical management of allergies; similarly, without the information such management is so difficult as to be infeasible beyond harm mitigation after exposure.  Artificial intelligence will necessarily play a critical role. Given that the information underlying the labels will be complex, lengthy, and subject to inconsistent validation the lessons from privacy policies are appliable here—few people will read the documentation.

The reporting requirements in EO 14028 provide information on the use of vulnerabilities by attackers, providing the baseline historical information required for informed decision-making. Those who complain that the sheer number of potential hazards in the national vulnerability database (as well as the simple bad programming practices that result in abiding vulnerabilities) are identifying a need for decision support, not a fatal flaw. To use the model of materials safety, reading the complete set of materials safety datasheets in a medium enterprise and all the potential interactions would similarly be overwhelming. Yet just as many of the mitigations for hazardous materials are common safe practice, such as not exposing them to open flames, many vulnerabilities can be mitigated by best practice such as disabling unused services, enabling malware scanners, strong passwords ideally with multi-factor authentication, regular back-ups for malware recovery, and blocking malicious servers.

There is a systematic need for accurate, actionable information about the state of software, which requires information about the components. Knowledge of vulnerabilities, lack of mitigation, failure to detect active intrusions, and recovery are critical issues across the network, particularly as ransomware has matured into a sustainable, profitable, service and business model for attackers. Companies lack structed actional information to support decision-making and engage in efficacious self-protection.

Consider that the Fortinet Ransomware survey asked 500 surveyed practitioners to evaluate their posture towards security. About 40% identified basic protections, including network segmentation, business continuity measures, and remediation plans. In contrast, for roughly 35% of practitioners, their current preparation is a policy of immediate payment, and 18% of practitioners reported paying by default unless prohibitively expensive. There was a notable absence of prevention in the form of identification and mitigation of vulnerabilities. Those surveyed simply do not have the necessary transparency and information to identify vulnerabilities on their own networks.

The current marketplace does not provide confidence in the choice to outsource security. Returning to SolarWinds, it is contested if the attackers used the fact that SolarWinds had posted their administrator password on their publicly available website used in developing components of their software, enabling any person with access to the Internet to alter the code; Solarwinds then refused to change the password after the months-long exposure was identified. It is also unknown if the choice to outsource the Managed Service Provider (security) operations and development to Bulgaria, with Russian language skills being identified as an asset for applicants, played a role. In contrast, it is certain that the consumer of any software should be able to make decisions about the code included in the product, the quality of the development environment, the practices, and the history of the provider. The requirements for information provision in FAR, the information on the components in SBOM, reporting requirements for incidents, and easy labeling for non-expert consumers can improve the market as a whole.

The creation of a transparent market for software and provision of information for operators and purchasers leverages the greatest competitive advantage of the United States: the rule of law required to support a trustworthy marketplace. Emerging nations can invest in their citizenry to build technical expertise and exfiltrate intellectual property; yet neither Russia nor China can compete with the United States in rule of law, low levels of corruption, and market transparency. The Biden Administration Executive Order on Improving the Nation’s Cybersecurity (EO 14028) is not a map to a more secure supply chain, continued leadership in cybersecurity, and the corresponding increases in national cybersecurity; instead, it creates the survey for its construction.