At a glance.
- DoD issues summary of 2023 Cyber Strategy.
- Customs and Border Protection to end use of location data.
- CISA releases its Open Source Software Security Roadmap for the Federal government.
DoD issues summary of 2023 Cyber Strategy.
The US Department of Defense (DoD) yesterday announced that it has released a summary of its 2023 Cyber Strategy. The full strategy, which is classified, was submitted to Congress in May and outlines how the DoD is implementing the plans laid out in the 2022 National Security Strategy, 2022 National Defense Strategy, and the 2023 National Cybersecurity Strategy. The unclassified summary describes the DoD’s integrated approach to deterrence, with an emphasis on implementing cybersecurity strategies in collaboration with other national defense tools. It also underscores the DoD’s commitment to supporting the defenses of other government agencies and the defense industrial base. Deputy Assistant Secretary for Cyber Policy Mieke Eoyang stated, "Distinct from previous iterations, the strategy commits to increasing our collective cyber resilience by building the cyber capability of allies and partners. It also reflects the department’s approach to defending the homeland through the cyber domain as well as prioritizing the integration of cyber capabilities into our traditional warfighting capabilities."
(Added, 4:45 PM ET, September 13th, 2023.) Ted Miracco, CEO of Approov Mobile Security, sees the Strategy as enunciating a more active approach to cybersecurity as a component of national security. “This new cyber strategy from the DoD represents an important shift from a reactive to proactive posture and is ultimately about far more than DoD's capabilities. Networks crossing sectors and borders require a global security mindset. This strategy's direction is right, but execution will determine whether it leads to meaningful improvement in cyber resilience as talk of information sharing and partnership is good, but only if it is backed-up by real, sustained commitments. The strategy's emphasis on sharing actionable intelligence to enable better private sector defenses, rather than just mopping up after the fact, is wise, but it will require overcoming cultural obstacles"
We also heard from Emily Phelps, Director at Cyware, who had thoughts on the Strategy's implications for securing critical infrastructure. “Securing critical infrastructure is complex, and with today's threat landscape, it requires a modern, proactive approach. Threat intelligence alone is not enough to combat a persistent wave of adversaries. Intelligence must have the necessary context and clarity so that the right people can take the right action. It requires strategic automation to rapidly collaborate so that teams have the actionable intel they need without the noise that slows them down.”
Customs and Border Protection to end use of location data.
The US Customs and Border Protection Agency (CBP) says it will no longer use commercially sourced smartphone location data. US law enforcement agencies like CBP have been known to purchase access to phone location data from commercial vendors to support their investigations. Vendors like tech company Venntel place source code in consumer apps, then use that code to determine users’ locations by tracking when and where the apps are used. The location data is then sold to customers like hedge funds, real estate investors, and law enforcement. This data requires no warrant for law enforcement agencies to acquire, and human rights experts have questioned whether its use violates privacy rights.
Senator Ron Wyden, a Democrat from Oregon, says he was informed CBP plans to stop using such data by the end of the month, which marks the end of FY23. The CBP added that if the agency “identifies a critical mission need to re-acquire a vendor who provides CTD, we would ensure CBP would engage Oversight, Legal, and Privacy entities at the agency and department level.” Although the announcement appears to be a positive change, there are still questions to be answered. Wyden told 404 Media, “While it is good news that CBP is ending its purchase of Americans' location information, it's troubling that the agency still hasn't released the Trump-era DHS legal memo that provided CBP with the authority to engage in such warrantless surveillance in the first place.”
It’s unclear why CBP has made the decision at this time, and the agency has not yet released a public statement. Julie Mao, deputy director of legal advocacy firm Just Futures Law, stated, “We welcome CBP’s announcement that it will stop surveilling people using this type of location data. But given the long history of abuse and misconduct by CBP, we’re waiting to see what actions the agency will actually take.”
CISA releases its Open Source Software Security Roadmap for the Federal government.
CISA has issued its Open Source Software Security Roadmap. The agency explained in its cover post that, "The roadmap lays out four key priorities to help secure the open source software ecosystem: (1) establishing CISA’s role in supporting the security of open source software, (2) driving visibility into open source software usage and risks, (3) reducing risks to the federal government, and (4) hardening the open source ecosystem." Comments on the document are welcome. The Roadmap's objectives are intended to be implemented over Fiscal Years 2024 through 2036.
Nick Mistry, SVP, CISO of Lineaje, commented that users have tended to take the good (benefits) with the bad (risks) when using open-source software, and thinks that the guidelines might represent a step toward changing this learned helplessness. “Traditionally, when using open-source software, you accept the risks or you choose the ‘better’ open-source option," Mistry wrote in emailed comments. "But with 82% of open-source software components being inherently risky due to vulnerabilities, code quality, security issues, or maintainability concerns, is there really a way to make a decision between one piece of open-source software and the other? I think if federal agencies and software vendors really follow through and adopt some of the principles that the new CISA Open-Source Software Security roadmap is setting forward, then the answer could be yes. The new guidelines are the first step in making organizations prove that the open-source software being used is truly secure. It’s not good enough to simply say, ‘Here's the software in my software bill of materials (SBOM) and here are the risks.’ We must require federal agencies and software vendors to demonstrate exactly what is being done to mitigate those risks.”
CISA has solicited comment on its roadmap, and it's already received considerable input in the course of drafting it. Chris Wysopal, CTO and co-founder of Veracode, wrote, “The large number of high-quality open source projects has allowed organizations to build more custom applications – and become more dependent on open source software (OSS) – than ever before. This means that organizations must have two critical processes in place to manage the risk of vulnerabilities. The first is to inventory the OSS in those apps continuously by scanning code during the software development life cycle (SDLC). This mitigates the latent risk that exists in production code and enables organizations to efficiently remediate it when new vulnerabilities like Log4j are disclosed. The second crucial step is to implement a highly automated SDLC. This ensures that the process of updating, testing, and deploying a new version of a custom application with an updated OSS package to fix a new vulnerability is quick and efficient. This is necessary to beat attackers who are racing to exploit the newly discovered vulnerability." What Veracode has seen in the libraries developers use isn't encouraging, and it suggests that too many are content to bucket along leaving easily addressed issues untouched. Wysopal adds, "We have found that 79% of developers never update third-party libraries after including them in the codebase. This is despite the fact that 92% of open source library flaws can be fixed with an update, and 69% of fixes are minor and won’t break the functionality of even the most complex software applications. Software buyers should ask their vendors if they have these processes in place to close the vulnerability window caused by a slow response to updating their open source.”
Supply chain vulnerabilities in open source software have for some time represented a serious and growing concern. Mike Walters, VP of Vulnerability and Threat Research and co-founder of Action1, thinks the open source community can and should do better. "The current state of open source security is far from ideal, and organizations are confronted with significant risks on multiple fronts. Firstly, the exploitation of vulnerabilities and supply chain attacks can result in unauthorized access, data breaches, and financial losses. Furthermore, reputational damage and the loss of customer confidence can have enduring consequences. The scale of the threat cannot be underestimated, as evidenced by incidents such as the widespread Log4j vulnerability that affected countless organizations worldwide," Walters wrote. He thinks security measures should now be enacted formally. "The authorities have undertaken a significant amount of theoretical and advisory work, demonstrating proficiency in security awareness and guidance activities. However, it is now time to transition from theory to practicality by enacting the Securing Open Source Software Act of 2023 as a tangible law, combining both proactive and advisory approaches. First and foremost, rigorous security assessments and audits of open source components should be conducted on a regular basis. Increased collaboration between government agencies, software developers, and security researchers is critical to quickly identify and patch vulnerabilities. Additional essential steps include implementing secure coding practices, providing funding for open source security audits, and establishing guidelines for the secure integration of open source components." This will require regulation and legislation. Walters adds, "The realization is that this should not remain theoretical but should be executed at the highest level of the law. While government agencies have made progress in addressing open source security, it is evident that further action is needed to enhance the protection of critical infrastructure and corporate assets. The risks that organizations face from open source vulnerabilities are significant and can have devastating consequences. By investing in comprehensive security measures, fostering collaboration, and enforcing secure practices, we can build a resilient ecosystem that encourages innovation while protecting against potential threats."