The House Energy and Commerce Committee’s Subcommittee on Oversight and Investigations today released a report identifying core strategies to address and prevent cybersecurity incidents. After gathering input through hearings, briefings, reports, and roundtables, the subcommittee developed six specific priorities to create stronger protections against cyberattacks.
Widespread Adoption of Coordinated Disclosure Programs
The subcommittee stressed the importance of coordinated disclosure programs, which it defined as “a collaborative vulnerability identification and remediation process.” It acknowledged that while coordinated disclosures do occur on an ad-hoc basis, the report said “the most successful coordinated disclosures generally take place within official coordinated disclosure programs adopted by organizations.”
In terms of the benefits provided by a coordinated disclosure program, the report stressed that it “allows an owner to invite the aid and expertise of outside parties in identifying an organization’s unknown unknowns, potentially avoiding a cybersecurity incident later, while setting ‘ground rules’ for third-party investigations of its data and networks.”
The report further said that the programs benefit “finders”–those who identify cybersecurity vulnerabilities–because it gives them “the ability to perform cybersecurity research without fear of civil or criminal penalties, incentivizing them to ferret out otherwise invisible bugs and report them to the affected owner.”
Implementation of Software Bills of Materials Across Connected Technologies
When it comes to helping organizations better prepare to respond to vulnerabilities, the subcommittee identified having a software bill of materials (SBOM) as an important step. An SBOM is essentially an ingredients list for a specific piece of technology and will list the hardware, software, and other components that it contains.
The report identified two benefits of an SBOM. “First, it permits organizations to make informed risk decisions about which technologies to purchase and use based on known vulnerability information,” and, “Second, when new vulnerabilities are discovered, it allows organizations to quickly identify their exposure and to take appropriate steps in response.”
However, the report said an “SBOM is not an end in and of itself.” Because an SBOM helps minimize an organization’s unknown unknowns, the bill will help identify other potential cybersecurity risks. The report specifically cited open-source software, “which [organizations] often do not know they’re acquiring.”
Support and Stability of the Open-Source Software Ecosystem
Speaking of open-source software (OSS), the subcommittee said organizations need to support OSS. “[I]f 78 percent of companies run on OSS, then any improvement in the quality of OSS bricks will create immediate, widespread, and effective increases in the overall quality of the cybersecurity capabilities of the organizations using them,” the report concluded.
The report again stressed that there is no cybersecurity silver bullet. Rather, “OSS support, together with coordinated disclosure and SBOM, recognize and address some of the most critical facets of organizations’ modern cybersecurity challenges.”
Health of the Common Vulnerabilities and Exposures (CVE) Program
The CVE program maintains a list of entries of publicly known cybersecurity vulnerabilities. Each vulnerability receives a unique identification number, description, and at least one public reference. According to the report, in the spring of 2016 “multiple media outlets reported that the CVE program was struggling to keep up with the number of vulnerabilities reported.”
In response to those concerns, the subcommittee launched an investigation in March 2017 and found that “instability in the program’s funding and management mechanisms were primarily at fault.” At the time, the subcommittee made two recommendations to the Department of Homeland Security and MITRE, which manage the program. It recommended, “that DHS move the CVE program from a contract based funding model to a dedicated Program, Project, or Activity and that both DHS and MITRE should perform biennial reviews of the program.”
The report further stressed that “the CVE program, like coordinated disclosure, SBOM, and OSS support, remains another critical cybersecurity building block. To be truly effective, organizations must continue building atop it, and leverage the common cybersecurity language it creates to better understand and analyze their IT and cybersecurity posture.” By using the program, organizations will be quickly “confronted with the fact that all digital technologies are vulnerable and the older a technology is, the more vulnerable it becomes.”
Implementation of Supported Lifetimes Strategies for Technologies
Concerns regarding reliance on legacy IT are nothing new, especially in the Federal government. In the report, the subcommittee said that the “first step in examining the legacy technologies problem is to realize that the issue extends far beyond the technologies themselves.” The subcommittee posed numerous questions regarding the use of legacy IT, including:
- “How long should organizations that develop or maintain technologies be required to support them?
- How long should organizations that use those technologies be permitted to reasonably rely on them?
- Some technologies continue to exhibit perfectly acceptable physical function long after their digital components age–must they still be replaced in their entirety?”
Addressing those questions will require “creativity, cooperation, and compromise,” according to the report. The report suggested that technology developers will likely need to provide a “guaranteed minimum support lifetime” and users will have to “accept and plan for the phasing out of technologies as they get older.”
The report than referenced the concepts it already discussed, “A common thread running through each of the five concepts already discussed is that all require collaboration between diverse and at times competing stakeholders whose technologies and networks are all inextricably linked. The power of connected technologies is just that–connection. By necessity, then, protecting these technologies requires protecting each end of the connection. And that will require partnership.”
Strengthening of the Public-Private Partnership Model
In its final priority, the report more fully discussed the importance of partnership. The report referenced that the United States has already established a Public-Private Partnership model for designated critical infrastructure through Presidential Policy Directive 21 (PPD-21). Under this model, critical infrastructure is divided into 16 sectors, with Sector-Specific Agencies (SSAs), Sector Coordinating Councils (SCCs), and Information Sharing and Analysis Centers (ISACs) overseeing each sector and facilitating information sharing.
“The hybrid nature of the Internet, where data and information critical to national and economic security flow over and through cables, networks, and devices owned and operated by the private sector, requires cooperation on a level that would likely be impossible to achieve without a framework like the one created by PPD-21,” the report said. “Further, while the sophistication of the different sectors varies significantly, the sectors with the strongest SSAs, SCCs, and ISACs are almost universally considered to be the gold standard with regards to cybersecurity capabilities and readiness.”
With that in mind, the report stressed the importance of strengthening the public-private partnership model, saying “It enables connected ecosystem stakeholders to recognize their shared risks and collaborate to protect their shared resources. Most critically, it creates a positive feedback-loop among and between the Subcommittee’s six interdependent priorities, and in doing so, increases desperately needed cybersecurity capabilities across society as a whole.”