Blog
Analysis: White House Cybersecurity Policy Maker - Secure Open Source Software Even If It Benefits ‘Adversaries’ We Should Do It Anyway
By Joe Fay
Resiliency is the endgame of the U.S. approach to internet and software security.
The U.S. has a vested interest in creating a secure and resilient internet and software ecosystem, even if it means its “adversaries” also benefit, a White House cybersecurity leader told the State of Open Conference in London late last week.
During a panel session on international security policy, Sal Kimmich, director of open source at EscherCloudAI, AI DevSecOps, said researchers uncovering vulnerabilities could face pressure from nation states, and there needs to be a way of protecting them.
Microsoft director of open source strategy, Sarah Novotny, added, “You have to align incentives and a nation state offering incentives for Zero Day is a really tough thing to compete with.”
Regarding the Log4j vulnerability that caused chaos in late 2021, Open Source Security Foundation general manager Brian Behlendorf said, “I’m sure this was a bug that had been found by nation states or other actors and had been kept confidential.”
Anjana Rajan, assistant national cyber director for technology security in the White House, agreed the incentive structure for reporting common vulnerabilities and exposures (CVE) is “highly misaligned. Why would you call the police on your own code? I don’t think we’ve really understood what the endgame is for the broader ecosystem.”
She said for the White House’s Office of the National Cyber Director, “resiliency is the end game”.
Building in security “benefits all of our national security interests, or economic interests, and yes, that means our adversaries might also have a secure and resilient internet.”
But, she continued, “That’s actually the price we want to pay for our best interests. And I think that’s kind of a provocative shift in the conversation.”
Open source software is a key part of the White House’s strategy for securing the nation’s infrastructure, she said. “There needs to be a long-term strategy, because our economy depends on it, our national security depends on it, our democracy depends on this infrastructure.”
The White House’s open-source security recognized that it wasn’t possible to simply impose legacy policy approaches on the modern software ecosystems, she said.
Securing open source meant speaking to the people creating the software and maintaining projects from the outset. It also meant the U.S. couldn’t just come up with a policy and scale it globally, she said.
Protect the Nation with Automation
“We need to be starting from day one thinking about ‘what does an open-source ecosystem look like around the world?’ And then build the concepts first and the thesis first, and then think about what is the regulation?” Rajan added.
The White House’s strategy has included a big emphasis on software bills of material. But this needs more automation. “This should be table stakes,” said Rajan. “I shouldn’t have to manually create a bill of materials. I should be able to rely on my GitHub repository to click a button and update that every time I submit a pull request”
Getting CVE lists should be automated too, as should updating repositories. “I think the next phase for all of us is to say, Okay, now that we agree about the policy and the concepts, how do we automate this? How do we now make this cybersecurity by design.”
One very simple effort on the White House’s part is to encourage the adoption of memory safe languages. In a separate session Rajan noted that memory safety issues had underpinned many of the big security crises over the last two decades, from the SQL Slammer worm attack in 2003 to WannaCry in 2017.
Switching to languages like Rust, Python and Swift would eliminate around 70% of vulnerabilities, Rajan noted. “While there is no silver bullet for securing this software ecosystem, this is certainly a significant step to driving resiliency.”
There also needed to be much more focus on education, she said. This wasn’t just a case of encouraging more engineers and cryptographers. “We also need people who understand other disciplines that are so critical for this to work.”
It was also about more than ensuring that security was embedded into computer science courses. She said the industry had to recognize that many tech workers came into the industry via other routes, whether that’s technical colleges and community colleges and other non-traditional routes, including those who are effectively self-taught.
The final element, she said, was to ensure that the government did not overburden smaller players in the supply chain. “You know, the individual or the small business or the mom-and-pop shop that does not have the resources to withstand a cyber-attack from a nation state.”
But she continued, “We still want to make sure that they see themselves as part of the solution. And so, what does it mean to create a digital awareness strategy to make sure that everyone understands the role that they can play?”