- Executive order under consideration would expand what companies have to disclose security breaches to the federal government.
- Such breach disclosure laws have been long found over legal concerns.
- The EO would also establish that certain software vendors maintain a software bill of materials.
Within days, U.S. President Biden is expected to sign an executive order that would require certain software makers to report breaches to their customers within the U.S. government, according to a report from Reuters.
Over the past 20 years, there have been numerous attempts to increase data breach information sharing between the private sector and the federal government. Still, thorny issues around privacy, legal culpabilities, and certain non-disclosure agreements have frustrated these efforts over the years.
This time may be different. "This EO would be analogous to California's and other state breach disclosure laws. So there is some expectation of required disclosure already inculcated in the private sector," says Scott Crawford, research director, information security at 451 Research, a part of S&P Global Market Intelligence. "Mostly, it would seem that those not directly affected would want to know if their suppliers had had a breach, not only to qualify their suppliers but to mount their own response if necessary. It's the direct victim of a breach that would be the most worried [about disclosure]," says Crawford.
Based on its reading of the draft EO, Reuters says the order will likely be crafted in such a way as to shield software makers from legal liabilities that could be associated with a data breach disclosure. Software makers covered by the executive order are also expected to be required to save digital evidence to share with federal law enforcement and the Cybersecurity and Infrastructure Agency, or CISA.
If the executive order is signed and drafted, it would also require those software vendors to maintain a "software bill of materials." A software bill of materials is a catalog of the components that comprise an application. The concept of a software bill of materials has become more critical over the years because software vendors and internal development teams generally create their applications by integrating open source and commercial components. Keeping track of such components is growing increasingly complex.
As we covered, organizations use hundreds of thousands of such components, many with known vulnerabilities at any given time. Of course, the challenge is that most enterprises don't know what open-source components they use, let alone all of the open-source components in use by their software suppliers. This means when a vulnerability is discovered in an open-source component, many – if not most – organizations have no clue where those components reside within their environment. The hope is the software bill of materials is part of the solution to solve this challenge.
This executive order is partially driven by recent software supply chain attacks that targeted a software maker's continuous integration/deployment pipeline. The recent successful software supply chain attack on a widespread network monitoring and management tool impacted thousands of enterprises and nine government agencies, including the U.S. Treasury. According to news reports, that attack was through the successful compromise of the vendor's software update system, and a trojan was inserted within an update. With the successful insertion of that trojan, which the attackers digitally signed, it would be trusted, and through that malware, the attackers maintained command and control over breached systems.
Attacks on software supply chains are a big concern, and there's no easy fix for software makers or enterprise security teams. "These attacks are particularly troublesome because if an attacker can burrow themselves into a supplier's software components, it can be very difficult to identify and eradicate the associated malicious software, especially if the components are signed and trusted as they were in the most recent incident. These attacks have been linked to nation-states. While the most recent attack is believed to be attributed to a Russian operations group, there have been software supply chain attacks attributed to Chinese attackers," I wrote in my 2020 cybersecurity year in review post.
To protect themselves from software supply chain attacks, Bitdefender's security team recommends enterprises:
- Perform a thorough risk assessment to identify potential security gaps and weaknesses across your entire supply chain at least once a year.
- For organizations that develop software, implement software procedures that require validation through multiple reviews before new code reaches production.
- For organizations with production software environments as part of their core business, incorporate periodic security testing that looks for anomalous processes and network traffic behaviors in addition to classic application bugs.
The executive order under consideration would, according to Reuters, add a coordinated incident response to that list, at least for some federal organizations. "The draft order would also create a cybersecurity incident response board, with representatives from federal agencies and cybersecurity companies. The forum would encourage vendors and victims to share information, perhaps with a combination of incentives and liability protections," Reuters reported.
While it's true that attempts at such public/private partnerships have been long sought with little progress, primarily because the private sector fears lawsuits and legal issues. The private sector has also long objected to the federal taking information from victims but not sharing enough information back with the private sector so they could better protect themselves. That's been changing for the better over the years. At the same time, such organizations tend to become politicized.
Perhaps the recent spate of breaches and heightened awareness of nation-state APTs may prove to be a catalyst for better change. "If participants enter into such an organization with the intent that any of them might sustain an incident at any time, and all are working toward common goals for making response more effective for all, then yes, this could be beneficial. But not if the most significant outcome is that these become name-and-shame fests," says Crawford.