The National Cybersecurity Strategy and this YouTube presentation on March 2, 2023 from Kemba Walden and Anne Neuberger address the need to rebalance cybersecurity risk. But what exactly does this mean? I suppose we’ll all know better what this means as the implementation details are worked out, but I’ll offer my interpretation here.
"When we pick up our smart phones to keep in touch with loved ones, log on to social media to share our ideas with one another, or connect to the internet to run a business or take care of any of our basic needs, we need to be able to trust that the underlying digital ecosystem is safe, reliable and secure," Joe Biden
Today, all the risks from a cybersecurity incident are borne by the consumers of software. This includes the cost of paying ransoms, implementing cybersecurity controls, both proactive and reactive, associated with identification, protection and detection of risks/threats and the costs associated with response and recovery from a cyber incident. All of the risks and costs of cybersecurity protections and impact from a cyber-breach fall on the consumer/end user of software.
Some people seem to interpret this “rebalancing of risk” as holding a software supplier responsible/liable for costs associated with a cyber-incident. I don’t think this is practical or even achievable. Determining the root cause of a cyber-incident and identifying the party that should be held responsible/liable will be difficult. Root cause determination depends on correlation and correlation depends on covariance and covariance depends on accurate, complete, trustworthy data – and that’s the problem. Getting trustworthy, accurate and complete data for a cyber-incident can be extremely challenging and is fraught with uncertainty. There are also plenty of well known "sticky issues" in trying to assign liability across the software supply chain.
In my opinion, the rebalancing of risks is more about a shared responsibility between software suppliers and consumers/end users to mitigate risks as soon as possible, to prevent harm.
How can software suppliers help mitigate risks sooner and share the risk with consumers/end users:
- Enable and empower consumers/end users to protect themselves from risk by providing visibility into the software components embedded in a software product, especially open-source components. This can be achieved by providing a consumer with an SBOM for each product release, version and patch. The SBOM must list the software components and other files that will be installed by a consumer that uses the product. Do not provide an SBOM of a source tree, that does not help a consumer identify vulnerabilities, only final, distributed materials contained in the installation package are useful to consumers during a risk assessment and for on-going monitoring.
- Provide consumers with a NIST SBOM Vulnerability Disclosure Report (VDR) whenever a new SBOM is produced and maintain the VDR as a living document, online, always accessible to customers so that they can check the vulnerability status of a product to answer the question “Is my installed software product vulnerable, as of right NOW” whenever a new vulnerability is reported. The VDR also serves as an attestation by a software supplier that they have checked each SBOM component for vulnerabilities, before releasing a software product. This requires software suppliers to constantly monitor for new vulnerabilities and update the online VDR with their findings and fix status, when needed. The NIST SBOM VDR follows the recommendations for vulnerability disclosure to software consumers found in IEC 29147:2018 and NIST SP 800-161 RA-5 in support of Executive Order 14028 guidance. A VDR is akin to having an always up to date CARFAX status report, but for software products.
- Software Suppliers agree to provide consumers with timely, machine-readable security advisories following CISA recommendations indicating when a new vulnerability affects one or more software products. Software suppliers will be required to provide mitigation guidance along with a security advisory and a estimated "timeline to producing a patch release", indicating when a patch/fix will be available to consumers. Consumers need to agree to apply the mitigation guidance and supplied patch/fix as soon as possible.
- Software Suppliers subject their products to a NIST software risk assessment that applies consistent criteria and methods to calculate a “trust score” indicating the amount of trust, based on adherence to NIST best practices, that the product achieves. This trust score should be communicated to consumers using a label, per NIST recommendations. Publish the product trust score in a Registry that a consumer can query before procurement and installation of a software product, i.e., an app from an app store. Anne Neuberger used a restaurant cleanliness score analogy in the linked YouTube presentation at the 29:15 mark to convey the need to provide consumers with more visibility into the trustworthiness of apps in app stores and IoT devices, which is akin to the "trust score" concept suggested here. Would you eat at a restaurant with a cleanliness score of "F"? Would you install an app with a "trust score" of "F"? I wouldn't do either of these. This link describes the New York City Restaurant Scoring program that Anne refers to. Anne's cleanliness score concept for software is not some future quest, it exists today in SAG-CTR (TM) where consumers can check the trust score for software and apps before installing. A simple 3 line Powershell script shows how easy it is to check the "trust score" for an app or other software product, before installing.
"In France, policymakers are taking the lead globally by looking to mandate the use of cyber risk ratings. The French Cyberscore Law, enacted on March 3, 2022, creates the obligation for a cybersecurity certification for digital platforms intended for the public. It comes into force on October 1, 2023. "
"By introducing a mandatory cyber risk rating requirement, France will proactively manage how cyber risk is understood and promote greater digital resilience throughout the supply chain."
In summary, software suppliers can help “rebalance” cybersecurity risks by providing up front, and on-going, support to consumers/end users that will enable them to mitigate software risks in a timelier manner, shrinking the window of susceptibility whenever a new vulnerability is reported. These four suggestions would help share responsibilities for cyber-risk and collaborate on effective steps to rebalance and mitigate those risks. If a software supplier refuses to share responsibilities with consumers by engaging in these four activities then fines and/or other penalties may be in order.