Finally, a meaningful congressional report on stemming cybersecurity attacks

As a new Congress arrives next month, expect a whirlwind of activity on the cybersecurity and privacy fronts. From major data breaches to the growing consumer data privacy morass, the frenetic pace of Washington developments will heat up.

Most of this activity will obscure the fundamentals of why we have never-ending breaches, personal data exposures and chronic digital insecurity. A just-issued report by the House Energy and Commerce Committee’s Subcommittee on Oversights and Investigations is, however, a refreshing departure from the usual political drama because it delves into this very question.

The Cybersecurity Strategy Report released on December 7 sidesteps the crises du jour by taking a bigger picture, practical and non-partisan view of what’s going wrong and how to fix things. It seeks to articulate how “traditional information technology (IT) strategies seem largely ineffective at stemming the growing tide of cybersecurity incidents.”

“The priorities [in the report] are based in sound concepts and embrace proven approaches to improve cyber safety, security, and resilience,” according to Beau Woods, a cyber safety innovation fellow with the Atlantic Council, a leader with the I Am The Cavalry grassroots initiative, and founder/CEO of Stratigos Security.

The report identifies six interrelated, core cybersecurity problems and presents solutions to these problems. The recommended solutions are:

1. Adopt coordinated disclosure programs

Modern technology is just too complex for any single person, organization or even government to grasp, and there will always be “unknown unknowns” that lead to cybersecurity incidents. “Modern information systems and networks contain hundreds to thousands of individual hardware and software components, each of which typically contain dozens of software libraries and thousands of lines of code, which in turn may be vulnerable to various cybersecurity flaws or risks,” the report notes.

One solution is to shine a light on cybersecurity incidents through third-party coordinated disclosures. Those disclosures occur when someone who finds a vulnerability in a network, product, service, software or system works with the affected party to address the problem.

2. Implement software bills of materials (SBOMs) across connected technologies

Most organizations have incomplete asset and inventory lists, leading to situations where they can’t protect what they don’t know they have. This lack of visibility “forces organizations to try to mitigate cybersecurity vulnerabilities blindly, relying on sporadic and usually opaque vendor guidance when it’s provided, or on broad-stroke best practices when it’s not.”

Organizations should adopt a software bill of materials (SBOM) that details the components of the technologies they use. A key benefit to a SBOM is the ability to see the pervasiveness of open-source software, which organizations often don’t know they’re acquiring, which leads into the third solution.

3. Support a stable open-source software ecosystem

Although most popular technologies, such as Microsoft’s Windows, Google’s Chrome or Apple’s MacOS, appear to be proprietary technologies, open-source technologies often underlie these giants’ products. “Software development has moved from an artisanal, soup-to-nuts process to one more akin to bricklaying,” the report notes, with the bricks frequently supplied by open-source developers.

For this reason, organizations should start recognizing the critical importance of open source software (OSS) and behaving accordingly. One example of this is the Core Infrastructure Initiative, a private multi-million-dollar effort supported by industry giants, including Amazon, Google, Microsoft, Facebook and more.

4. Maintain the health of the Common Vulnerabilities and Exposures (CVE) program

Security vulnerabilities are complex and rarely described in terms of how they function, making it difficult to keep track of them. Fortunately, the Department of Homeland Security (DHS,) with help from federal contractor MITRE, runs the Common Vulnerabilities and Exposure (CVE) program that provides unique identifiers for over 100,000 vulnerabilities, a common language that is “the cornerstone on top of which modern cybersecurity is constructed,” the report notes.

To continue fostering the usefulness of the CVE program, organizations must continue building atop it and continue leveraging the common cybersecurity language it creates.

5. Implement supported lifetimes strategies for technologies

The pace of technological innovation leaves organizations constantly upgrading to new technologies, with legacy systems receiving less support and attention as time goes by. The WannaCry worm, for example, exploited a 30-year-old unnoticed vulnerability while energy sector malware Triton targeted a vulnerability in legacy software.

Technology developers should provide some guaranteed minimum support lifetime to the products they sell. Other steps include decoupling physical assets from digital ones, so that the obsolescence of one does not necessarily force the obsolescence of the other, or developing leasing models so that manufacturers can swap out old vulnerable technologies with new, more secure ones.

6. Strengthen the Public-Private Partnership model

Too often government, private industry and individual consumers are left to struggle with cybersecurity problems on their own, which is a “strategy doomed to fail.”  What’s needed instead is a “whole-of-society” approach, in which individuals and organizations across both the public and private sectors play vital, integral roles.

The Public-Private Partnership model established for designated critical infrastructure through Presidential Policy Directive 21 (“PPD-21”) is one example promoted in the reported. Under PPD-21, each of 16 critical infrastructure sectors have roles assigned to them, most notably Sector-Specific Agencies (SSAs), responsible for overseeing and guiding their sectors, Sector Coordinating Councils (SCCs), voluntary groups consisting of private sector and Information Sharing and Analysis Centers (ISACs), official public-private forums for the sharing of information between sector members.

As high-profile hearings begin in January, as subpoenas get issued and letters get written, as federal lawsuits fly and federal agency investigations get launched, this report offers some practical advice on how to avoid the lion’s share of security problems. Let’s hope it gets the attention it deserves.

It remains to be seen how the new Congress will embrace the report’s advice. “It will be interesting to see which pieces the Democrat Majority picks up from the Republican’s agenda. These are all generally non-partisan issues,” Ari Schwartz, managing director of cybersecurity services at Venable LLP and former member of the White House National Security Council, says.