“We need to change the way that developers write software and if they think about this from the start. You can’t bolt it on at the end.”
These attacks caught the attention of the U.S. government, which has aimed to support software supply chain security through various regulatory measures over the past year. The National Cybersecurity Strategy, released in March by the Biden administration, is one of the bolder strategies put out by the White House in shifting the onus toward manufacturers.
“The strategy really outlines how we need to look at the most atomic unit, all the way to the code, through how we distribute software and the products that it’s in,” said Camille Stewart Gloster, with the White House Office of the National Cyber Director.
Technology providers are often in a rush to get their products out to market, or to add new features, and the current standard practices and processes have not traditionally prioritized security and the long-term impact on the overall ecosystem in the process. The National Cybersecurity Strategy, and other government measures, aim to create market incentives that would instead create a secure by design model.
Biden’s 2021 Executive Order on Improving the Nation’s Cybersecurity requires federal agencies to use only software that has been developed using secure development practices and instructs agencies to require certification from the vendors they work with. As part of this, by June vendors working with federal agencies must demonstrate that their products meet minimum NIST standards, for instance.
Separately, this month, CISA, the FBI, the NSA and international partners released guidance for manufacturers on building secure by design technology. Stewart Gloster stressed that the work has to begin at the training level for developers so that security is prioritized at the outset – something that is currently lacking as few developers have formal education in secure coding practices.
“What’ll you see in the National Cybersecurity Strategy, and in the implementation to come, is us trying to identify the places where we can best serve across the software ecosystem – not just open source – where we can invest and support industry, all of the other players, in that evolution towards long-term investments or secure by design,” said Stewart Gloster.