Government cybersecurity has been a pressing issue for decades, yet only recently have we seen federally sponsored recognition of the increasing threat adversaries pose to proprietary, custom, and open source software. On the tails of high profile data leaks and internet-crippling cyber attacks, it’s prudent to explore our nation’s strategy for cybersecurity and identify the most impactful ways to reduce our adversaries’ asymmetric advantage; this is an advantage consequent to having knowledge or an operational leg-up that others do not, such as dedicated teams of attackers or easy points of entry through application vulnerabilities.
Strength in Numbers: A Push for Federal Government Cybersecurity
In December 2014, the Senate passed the Cybersecurity Enhancement Act of 2014, which outlines requirements to increase awareness and education of the government’s cybersecurity best practices, to facilitate collaboration between public and private sectors through the lens of cybersecurity, and to establish a strategic plan for research, innovation and development. This marks one of the most prominent instances of the United States’ federal government organizing resources with the intent of augmenting cyber defenses to combat alarmingly persistent cyber attacks.
Fast forward to August 2016 when the White house released a the Federal Source Code Policy obliging federal government agencies to release 20 percent of custom code as open source software, encouraging the proliferation of ideas and benefitting agencies and taxpayers alike through the reduction in duplicate application development efforts and a more concise, proven portfolio of government applications.
But mandates, directives and standards provide little benefit – in fact, can generate risk – without a strategy for implementation and a means to make informed decisions.
Stick to the Plan: A Government Cybersecurity Strategy to Combat Adversaries
Lending much to the justification of the Federal Source Code Policy, the National Science and Technology Council (NSTC) and Networking and Information Technology Research and Development (NITRD) Program released the Federal Cybersecurity Research and Development Strategic Plan, a response to Section 201 of the Cybersecurity Enhancement Act of 2014 directing these organizations to develop a strategy for cybersecurity research and development.
This plan structures near-, mid-, and long-term goals for software and technology advancements driving federal cybersecurity standards:
- Near-Term Goal: Counter adversaries’ asymmetric advantages with risk management. This can only be accomplished with comprehensive insight into the vulnerability landscape and enhanced identification, assessment, and response to threats.
- Mid-Term Goal: Reverse adversaries’ asymmetric advantages through sustainably secure development and operations practices. This includes the design and implementation of software, firmware, and hardware which are resistant to exploitation, as well as operations standards which simplify such activities while enhancing security.
- Long-Term Goal: Deter malicious cyber activity by lessening the likelihood of a successful attack and increased attribution. This relies heavily on the mid-term goal to increase the level of effort required by adversaries to the point where the costs of the attack outweigh the benefit.
One of the biggest problems today is adversaries’ asymmetric advantage; the notion that it requires you to invest far more resources and effort to defend applications and systems from malicious activities than it does for adversaries to carry them out. To this end, attackers can hit soft targets, including applications with unpatched vulnerabilities in open source components, as these present a target-rich environment for attackers with access to publicly available exploits. And with the roll-out of the Federal Source Code Policy, open source software is taking center stage as one of the largest areas of concern as well as one of the greatest opportunities to enhance cybersecurity.
Close the Door: Open Source Software Security for the Federal Government
The NSTC / NITRD strategic plan discusses the importance of software risk management, noting:
“Cybersecurity decisions in an organization should be based on a shared assessment of the organization’s assets, vulnerabilities, and potential threats, so that security investments can be risk-informed. This must be achieved despite the incomplete knowledge the organization has of its assets, vulnerabilities, exposures, and potential threats.”
For many, an incomplete inventory of open source components directly impedes this initiative, obscuring insight into the software portfolio and preventing an accurate assessment of open source vulnerabilities that threaten the organization. In order to achieve the NSTC’s and NITRD’s goals of countering adversaries’ asymmetric advantage, and ultimately deterring a statistically significant number of attacks, open source vulnerability management must be automated and enhanced to provide rapid identification and alert of vulnerabilities impacting each government agency’s application portfolio.
Forward Together: Standardizing Open Source Best Practices for Government
Each step forward toward open source application security is an affirmative push backward against attackers. The NSTC and NITRD report that “many products have been shipped with large numbers of vulnerabilities,” a claim substantiated by Black Duck’s Open Source Security Analysis which found that 67% of applications reviewed contained open source security vulnerabilities, with 40% of open source vulnerabilities in each application being rated as “severe.” This illustrates shortcomings in present vulnerability testing and identification practices, as well as operational and quality concerns across agencies’ development life cycles. The Federal Cybersecurity Research and Development Strategic Plan establishes success criteria for such a problem, seeking a reduction in software defects from an estimated one per every thousand lines of code to one per ten thousand and per hundred thousand lines of code in the mid- and long-terms, respectively.
The NSTC and NITRD stress the need for “formal methods for analyzing software during the development phase…to identify less obvious vulnerabilities and…facilitate detecting vulnerabilities in existing software.” To achieve this, federal government agencies must incorporate open source development best practices throughout the SDLC to reduce the cost of remediation by early vulnerability discovery, and to prevent the use of vulnerable components from the very beginning. These efforts can be enhanced by implementing continuous monitoring for new vulnerabilities after deployment, since the security profile of a component can change overnight following release.
Black Duck is working to enable government organizations to achieve these goals set forth by the NSTC and NITRD, in addition to augmenting initiatives established by the Federal Source Code Policy and Cybersecurity Enhancement Act of 2014. With solutions for open source vulnerability management, like Black Duck’s Hub, federal government agencies are well-equipped to rapidly address vulnerabilities in open source software, enforce policies for open source license compliance, and find solace in a more secure development cycle.