At a glance.
- Understanding a software bill of materials.
- Considerations surrounding cyber retaliation.
US SBOM order growing pains.
SecurityWeek says cybersecurity vendors are “scrambling” to understand the Executive Order (EO) on Improving the Nation’s Cybersecurity software bill of materials (SBOM) directive for Federal contractors. (SBOMs have been roughly compared to ingredients lists.) Amid “countless” industry meetings, the National Telecommunications and Information Administration (NTIA) released a handful of resources, including SBOM at a Glance, FAQs, and Explainer videos. Linux Foundation added to the wealth of research and tools with a free Generating an SBOM course and an SBOM Generator. Some experts expect the mandate to improve supply chain transparency and security to the benefit of buyers; others fear SBOMs will be difficult to implement and won’t reduce overall vulnerability.
The NTIA is on course to issue SBOM baseline requirements by the EO’s July 11 deadline, Federal News Network reports. The US Chamber of Commerce and National Defense Industrial Association requested an extension, but the NTIA’s cybersecurity director pushed back against what he sees as industry delay tactics, while acknowledging that SBOMs “won’t solve everything.”
Nextgov notes disagreement between industry players and Representative Langevin (Democrat, Rhode Island 2nd) over what SBOMs should entail and to whom they should be made available. Raising IP and expense worries, companies are angling for limited SBOM distribution and wiggle room with regard to SBOM depth. Langevin wants SBOMs to be posted online when possible, and is encouraging the Government to prioritize security over cost, on the belief that “our unwillingness to pay for security is one of the reasons we continue to face the volume of cyber threats that we do.”
Organizing (or at least proposing) retaliation.
The Washington Post relates Senator Angus King’s (Independent of Maine) desire for faster, stronger, clearer (“specific” but yet unspecified) consequences for cyberattacks, expressed at a Post event. Observing that “Putin can hire eight thousand hackers for the cost of one jet fighter,” he said, “I want somebody in the Kremlin…to say, ‘Gee, boss, I'm not sure we ought to do this because we're liable to get whacked in some way by those Americans.’” While arguing that CyberCom should go after ransomware gangs, King refrained from calling for a cyber response to all attacks. FireEye CEO Kevin Mandia warned that a cyber “tit for tat” could turn out worse for the US than less-connected countries. Both King and Mandia also voiced support for a critical infrastructure penetration testing mandate.