A leading representative of software developers is cautioning against a blanket push for transparency in the industry as part of a new cybersecurity initiative soon to get underway at the National Telecommunications and Information Administration.
“Transparency often sounds appealing in almost any context, but transparency can also bring some unintended consequences,” Tommy Ross, senior policy director for BSA | The Software Alliance, said this week in an interview with Inside Cybersecurity.
Issues of software transparency and liability have been garnering more attention recently, especially in relation to efforts to secure the supply chain and cyber concerns linked to the emerging Internet of Things. But questions of intellectual property and standardization have complicated the challenge.
“The key is that it needs to be scoped in a way that sets out a clear problem statement and doesn't prejudge the answer, because this is a complex question,” Ross said of NTIA indicating it intends to launch a multi-stakeholder process this summer to “examine what’s needed to foster a marketplace for greater software component transparency."
NTIA’s software initiative is an outgrowth of two previous multi-stakeholder processes at NTIA around IoT security and vulnerability disclosure, and tracks with an action item in the landmark botnet report released this week by the departments of Commerce and Homeland Security.
“While the notion of transparency around components of software is not new, wide support and adoption has not been realized,” the Commerce-DHS report reads. “NTIA should engage diverse stakeholders in examining the strategies and policies necessary to foster a marketplace for greater software component transparency, including identifying and exploring market and other barriers that may inhibit progress in this space.
The report says “knowing what software has been incorporated into a product is a fundamental step toward being able to keep it updated and to mitigate threats when they arise.”
BSA's Ross acknowledged the potential merit of the effort, but warned that it could also even harm cybersecurity by creating unnecessary distractions that remove focus from addressing threats.
“I think the idea is that increased transparency will help people better understand the code bases that are operating on their networks and therefore be better positioned to apply settings and to account for the components that they know they have running on their networks,” he said, but he noted that developers might use one part of a library of source code but not another.
“Transparency measures that tell consumers the product is combing back to a library with a known vulnerability might create unnecessary or unfounded concerns about the security of the product,” he said. “You might then imagine that consumers would be on the line with the support desk demanding answers for a problem that doesn't exist and distracting resources from solving real problems.”
Asked whether having a professional arbiter certify the software components might address the problem, Ross said certification presents a challenge because there is a gap in the availability of appropriate international software standards to certify against.
Ross said BSA members already employ security best practices but smaller software developers employed by IoT device manufacturers or components sourced by third parties earlier in the software supply chain may not.
“There are some fundamental best practices for supply-chain security that are necessary predecessors for this conversation,” Ross said, “including that software developers ought to be able to trace component parts back to their source and have a validated chain of custody for those component parts."
But addressing that problem presents a threat to proprietary information.
“If a supplier shares its source code with a developer, the developer will have eliminated their need for the supplier,” Charles Clancy, who directs Virginia Tech’s Hume Center for National Security and Technology, told Inside Cybersecurity Wednesday.
During a panel hosted by the Atlantic Council on Wednesday, authors of a report the organization released, “Supply Chain in the Software Era,” said “it’s a super hard, nearly impossible problem.”
The report recommends stakeholders, including insurers and manufacturers, ask for a “software bill of materials” and suggests ways it might address the challenge of protecting intellectual property.
“This provides observable measures that can be used to evaluate the number and the reliability of suppliers and components, as well as the number and severity of known software defects,” the report reads. “By limiting the transparency to only third-party and open-source components, intellectual property concerns are dampened.” -- Mariam Baksh (firstname.lastname@example.org)