SAN FRANCISCO — A top Commerce Department cybersecurity official is attending the tech security industry’s biggest annual sales conference this week with a sales pitch of his own.
Allan Friedman, who leads cybersecurity initiatives at the agency's National Telecommunications and Information Administration, thinks companies could make the entire technology ecosystem dramatically more secure just by publishing a record of all the software that goes into their products.
In other words, he wants every piece of technology in the United States to have a public “ingredients list.”
And just like ingredient lists at the grocery store help consumers make smarter decisions about what they eat, the equivalent in software will help companies make smarter decisions about what they buy and how they protect it, he told me. And he wants to convince companies he meets with at RSA that being more transparent about their software — which can be complicated for legal and competitive reasons — could actually help them improve the services or products they offer clients.
“This is about making it easier and cheaper for anyone across the ecosystem to be aware about what they’re using,” Friedman said.
The problem is there’s not much incentive for any individual company to start publishing these ingredient lists — which NTIA calls a “software bill of materials.” The benefit only comes when a lot of companies are publishing the lists and the entire software ecosystem is more transparent.
If government can convince companies it’s in their best interest to work together on software transparency — and help them figure out an efficient and standardized way to do it -- that will make a bigger difference than government trying to force a change, Friedman told me.
“In a world where no one is asking for this, people are not going to provide it, and in a world where there aren’t tools to do this, no one’s going to ask for it,” Friedman told me. “Rather than asking nicely for someone to get into the cold pool or go pushing people in the cold pool, government is helping people to hold hands and jump in together.”
The Software Bill of Materials project is the latest example of how the government is trying to fundamentally reshape how people and companies manage cybersecurity through conversations and consensus-building rather than mandates.
The Homeland Security Department, for example, is working with industry sectors on ways to identify the most insecure parts of their supply chains and to map out the most critical parts of U.S. digital infrastructure that require the greatest amount of protection.
NTIA also convened cybersecurity researchers and companies to talk about better ways to share information about newfound computer vulnerabilities. The Software Bill of Materials project itself grew out of an earlier government and industry collaboration focused on making the Internet ecosystem more resilient against armies of zombie computers known as botnets.
NTIA has been working since July with about 100 people who have a financial or policy interest in the Software Bill of Materials project, including cybersecurity researchers, academics and industry representatives from health care, financial services and other sectors.
Those participants have split into four working groups that are scheduled to release early findings this spring, Friedman told me — focused on the format the ingredients lists should take, what they should include, models that already exist and special considerations in the health-care sector.
During the RSA conference, Friedman wants to get more security companies engaged in the process.
He also wants to contact major companies that spend millions on software each year about how increased transparency will make their organizations more secure.
“I’ll be reaching out to as many folks as possible about how this is in their security interests,” he told me.
Once the ingredient lists are common, organizations will be able to use them in numerous ways, Friedman told me.
At the most basic level, they’ll be guideposts for cybersecurity researchers looking for hackable bugs inside major products. They’ll also help companies make smarter decisions about the software they buy — avoiding products that rely on overly complex supply chains or software from vendors that have gone out of business.
Some people could also build businesses out of the data, such as automated tools that tell companies how risky their software footprint is and ways to make it safer, Friedman said.
“The value is really going to emerge from all the tools and innovative business models that can leverage this data to understand risks as they emerge or even before they emerge,” he said.
The ingredient lists will also even the playing field between hackers and cyber defenders who often have less information about what software their companies are running than the attackers do, Friedman said.
“What we’re doing is giving the good guys ways to defend themselves because the bad guys already have this information,” he said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Women will be speaking on or moderating all but 6 of 31 keynote presentations at RSA this year. That’s a stark change from last year when 19 out of 20 keynotes were by men, the San Francisco Chronicle's Melia Russell reported. That year, some security researchers protested the male-dominated lineup by holding a shadow conference with a more diverse list of speakers titled OurSA. Given the more diverse speakers at the main conference this year, the organizers won’t be renewing OurSA, they told the Chronicle.
“They’ve proved it’s not a pipeline issue by having a much better speaker lineup this year,” Lea Kissner, chief privacy officer for the data start-up Humu, told the Chronicle. Sandra Toms, the chief organizer of RSA, said conference sponsors proposed mostly male names for keynotes again this year, but she told them to come back with a more diverse list, the Chronicle reported.
“Also new this year is a half-day training to help women become more effective public speakers and find the confidence to apply for keynote opportunities,” the Chronicle reported.
PATCHED: A bipartisan pair of senators on the Senate Intelligence Committee wants to find out whether China is trying to shape international standards for 5G to give an advantage to Chinese companies. Sen. Mark R. Warner (D-Va.), the panel's vice chairman, and Sen. Marco Rubio (R-Fla.) asked Director of National Intelligence Daniel Coats in a letter to issue an unclassified report on the matter. They want the U.S. intelligence community to examine the participation of China and other foreign adversaries in organizations that set international standards for 5G technology.
Warner and Rubio said the Senate Intelligence Committee over the past year “has heard anecdotal concerns that China is attempting to exert pressure or political influence” on those organizations. “Not only does political influence undermine fair competition, it also raises serious economic and security concerns for 5G and future generations of wireless technologies,” the senators said in the letter. U.S. officials have sought to persuade foreign allies not to allow Chinese telecommunications company Huawei to build their 5G networks, citing concerns about potential Chinese spying.
PWNED: Even as President Trump and North Korean leader Kim Jong Un met in Hanoi, North Korean hackers kept up their attacks on American and European businesses, The New York Times's Nicole Perlroth reported. "The attacks, which include efforts to hack into banks, utilities and oil and gas companies, began in 2017, according to researchers at the cybersecurity company McAfee, a time when tensions between North Korea and the United States were flaring. But even though both sides have toned down their fiery threats and begun nuclear disarmament talks, the attacks persist."
McAfee also found that a North Korea-linked cyber espionage campaign uncovered last year lasted longer and targeted more organizations than initially thought. Hackers from the Lazarus Group started their espionage campaign — called Operation Sharpshooter — as early as September 2017 rather than in 2018 and targeted more than the 80 organizations McAfee originally identified, according to a news release. The hacking group's current targets are located largely in the United States, Britain, Germany and Turkey, McAfee said.
Lazarus Group “primarily leveraged spearphishing emails, masked as extremely convincing job recruitments, to gain access to systems,” McAfee reported. That’s “an ordinary and unadvanced technique” that nevertheless “was still wildly successful in enabling Lazarus to breach major organizations,” the report states.
— A program to provide federal workers with cyberdefense analysis training has drawn more than 1,500 applications, Nextgov's Frank Konkel reported. The program, called Federal Cyber Reskilling Academy, aims to help the government address a lack of cybersecurity professionals in the federal workforce. “It shows there’s a great desire from our federal employees to transition into the cybersecurity career field!” Federal Chief Information Officer Suzette Kent said in a tweet. Applicants who are accepted in the program will be notified starting April 1, according to Nextgov.
— Rep. Mike D. Rogers (R-Ala.), the ranking Republican on the House Homeland Security Committee, said that the legislative and executive branches have not “been able to get ahead of” cybersecurity threats, according to Inside Cybersecurity's Maggie Miller.
— More cybersecurity news from the public sector:
— Chuck Robbins, chief executive of Cisco Systems, suggested in an interview on CNN that concerns that Huawei may end up dominating 5G networks may be exaggerated, Bloomberg News's Hailey Waller reported. “The current infrastructure around the world is built on a combination of communication suppliers from Europe, from China, from the U.S., everywhere,” Robbins said, according to Bloomberg News. “And I think that despite everything that we hear, I think that’s going to be the case in the future as well.”
— More cybersecurity news from the private sector:
— Steffen Seibert, spokesman for the German government, said Berlin has not held cybersecurity talks with Beijing in recent weeks after he was “asked about a report that Chancellor Angela Merkel was seeking a no-spying deal with China over the Huawei issue,” Reuters reported.
— More cybersecurity news from abroad:
— Jeremy Burge, founder of Emojipedia and creator of World Emoji Day, tweeted that the phone number that people use on Facebook for two-factor authentication can now be searched within the social network, prompting privacy concerns.
For years Facebook claimed the adding a phone number for 2FA was only for security. Now it can be searched and there's no way to disable that. pic.twitter.com/zpYhuwADMS— Jeremy Burge 🐥🧿 (@jeremyburge) March 1, 2019
The tweet prompted numerous reactions. From Zeynep Tufekci, an associate professor at the University of North Carolina at Chapel Hill and contributing opinion writer for the New York Times:
Yep. I can no longer keep keep private the phone number that I PROVIDED ONLY FOR SECURITY to Facebook. ZERO notification of this major, risky change. For years I urged dissidents at risk to use 2FA on Facebook. They were afraid of this. @Facebook doesn't care about their safety. pic.twitter.com/lW8wjBJlfz— zeynep tufekci (@zeynep) March 3, 2019
From Bloomberg News's Sarah Frier:
This is why I’ve been warning about the potential privacy downsides of their plan to integrate messaging on Instagram, WhatsApp and Facebook. Zuckerberg says they’re doing it to bring encryption across services. But it will ultimately allow Facebook to connect your identities.— Sarah Frier (@sarahfrier) March 3, 2019
From Girard Kelly, counsel and director of privacy review at the nonprofit Common Sense Media:
This is a perfect privacy example of a lack of respect for the context in which information is collected https://t.co/Q8un4urWze— Girard Kelly (@girardkelly) March 3, 2019
- RSA Conference in San Francisco through Friday.
- The Center for Strategic and International Studies holds an event on “digital governance and the pursuit of technological leadership.”
- The Woodrow Wilson Center holds a discussion on China and 5G.
- Senate Permanent Subcommittee on Investigations hearing on data breaches in the private sector on Thursday.
- The Brookings Institution holds a discussion on “How to improve cybersecurity career and technical education” on March 13.
Trump's 2019 CPAC address, in 3 minutes:
Deadly tornados hit the Deep South:
Phillies welcome Bryce Harper: