⚡NIMITZ TECH NEWS FLASH⚡

“Design vs. Default: Analyzing Shifts in Cybersecurity”

House Committee on Homeland Security, Subcommittee on Cybersecurity and Infrastructure Protection

December 5, 2024 (recording linked here)

HEARING INFORMATION

Witnesses and Written Testimony (linked):

• Ms. Heather Adkins: Vice President, Security Engineering, Google

• Mr. Jim Richberg: Head of Cyber Policy, Global Field CISO, Fortinet, Inc.

• Mr. Shane Fry: Chief Technology Officer, RunSafe Security, Inc.

• Dr. Srinivas Mukkamala: Board of Regents, New Mexico Tech, El Paso Electric

HEARING HIGHLIGHTS

IN THEIR WORDS

SUMMARY OF OPENING STATEMENTS FROM THE SUBCOMMITTEE

• Chairman Garbarino opened the hearing by emphasizing the increasing sophistication of cyber threats and the necessity of enhancing cybersecurity as a foundational principle rather than a reactive measure. He highlighted the CISA-launched Secure by Design initiative as a proactive approach to embedding cybersecurity into product development. Over 250 companies have signed the voluntary Secure by Design pledge, which emphasizes key actions like improving software security and enhancing transparency. He expressed the need to maintain voluntary participation and industry buy-in to ensure innovation and security coexist while avoiding duplicative or burdensome regulations.

• Ranking Member Swalwell discussed the importance of embedding security into technology from the outset, reducing the burden on consumers to defend against sophisticated cyber threats. He commended CISA's Secure by Design initiative as a critical step toward creating a resilient and defensible digital ecosystem, in alignment with the Biden Administration’s National Cybersecurity Strategy. Swalwell highlighted the role of private sector innovation in achieving this goal and praised Google for its advancements in user security. He also stressed the importance of bipartisan support for CISA, warning against efforts to weaken the agency in future administrations.

SUMMARY OF WITNESS STATEMENT

• Ms. Heather Adkins described Google's long-standing commitment to a Secure by Design approach, embedding cybersecurity into every phase of product development. She detailed Google's efforts to combat phishing and vulnerabilities through tools like multi-factor authentication, passkeys, and safe coding frameworks. Adkins also emphasized the importance of issuing timely security updates and fostering transparency through vulnerability disclosure policies and rewards programs. She underscored the need for industry collaboration to enhance digital security and noted that securing the digital ecosystem requires continuous effort and innovation.

• Mr. Jim Richberg shared his experience with Fortinet's commitment to Secure by Design, emphasizing radical transparency and collaboration with CISA to create the Secure by Design pledge. He highlighted the widespread adoption of the pledge by over 250 companies, ranging from small developers to global IT firms, as evidence of its success. Richburg pointed out that while Secure by Design is a practical step forward, its success depends on market demand and customer awareness. He argued that public-private partnerships and market-driven approaches are essential for the initiative's long-term success.

• Mr. Shane Fry explained how Secure by Design has influenced RunSafe Security's practices, including transitioning to memory-safe programming languages and improving software transparency through public SBOMs (Software Bill of Materials). While acknowledging the initiative's potential to transform cybersecurity, Fry stressed the challenges posed by legacy systems and the slow adoption of Secure by Design practices in critical infrastructure sectors. He urged Congress to incentivize the use of secure technologies and prioritize critical infrastructure protection, emphasizing the need for immediate action to address memory safety vulnerabilities and outdated systems.

• Dr. Srinivas Mukkamala highlighted the persistent issues of legacy software and the lack of transparency in its use, which give adversaries a strategic advantage. He pointed to the high cost of technical debt and the alarming vulnerabilities in critical infrastructure systems. Mukkamala called for a national legacy software library, transparency in software safety, and clear guidance on addressing vulnerabilities. He argued that software safety must be regulated, much like medical devices or utilities, to ensure reliable and secure systems critical to national security and public safety.

SUMMARY OF Q and A

• Rep. Ezell asked the panelists which of the "Seven Pillars" of Secure by Design has been the most difficult to adopt and why. Ms. Adkins explained that tackling entire classes of vulnerabilities is the hardest due to the need to change how developers work and the reliance on third-party and open-source software, which often lacks uniform standards. She noted generative AI is a promising tool, but it requires significant innovation and research to ensure long-term safety. Mr. Richberg agreed that addressing entire classes of vulnerabilities is challenging, calling it a "stretch goal" even for large companies like Google. He highlighted that some vulnerabilities require serial progress and long-term investment to resolve effectively. Mr. Fry added that adopting memory-safe programming languages is particularly difficult due to the limited availability of skilled developers. Additionally, industrial control system manufacturers often treat their software bill of materials as intellectual property, creating resistance to sharing this data. Dr. Mukkamala emphasized three key challenges: insufficient training for developers in software security, reliance on offshore software with varying standards, and issues with legacy software. He expressed concern about AI-generated code potentially creating new vulnerabilities that developers may struggle to address.

• Rep. Menendez inquired about the potential consequences of the next administration failing to prioritize Secure by Design, particularly concerning critical infrastructure. Dr. Mukkamala warned of severe consequences if software vendors are not held accountable for vulnerabilities. He emphasized the resource limitations of local governments, utilities, and educational institutions, highlighting that resilience must be built into federal systems first. He also advocated for software vendor liability to ensure accountability.

  Rep. Menendez followed up by asking how Secure by Design could reduce the burden on under-resourced entities like municipalities. Dr. Mukkamala recommended continuing grants like those from CISA for local governments and educational institutions. He stressed the need for continuous diagnostics to detect vulnerabilities promptly and prevent future attacks.

• Chairman Garbarino explored the challenges of applying Secure by Design principles to operational technology (OT) systems. Mr. Richberg explained that OT systems operate on much longer timelines than IT systems, with equipment often lasting 30 years. Adapting Secure by Design principles to OT will require different approaches due to these unique constraints and varying priorities like safety and reliability. Mr. Fry noted that while OT manufacturers are beginning to consider Secure by Design, regulations like the EU Cyber Resiliency Act are accelerating progress. He urged further collaboration between the industry and policymakers. Ms. Adkins highlighted recoverability as a critical aspect of OT systems, citing the war in Ukraine as a case study for resilience in infrastructure systems.

• Ranking Member Swalwell asked for insights on addressing legacy systems in federal agencies. Dr. Mukkamala identified fear of breaking functionality and lack of system knowledge as major obstacles. He criticized the lack of accountability for vendors providing legacy systems and called for a comprehensive cataloging of vulnerabilities. Mr. Richberg emphasized that funding is the primary barrier to replacing outdated systems, noting that many IT modernization plans are never implemented due to resource constraints.

  The Ranking Member also inquired about the implications of recent FBI warnings regarding encrypted applications. Ms. Adkins stated that secure encryption protocols are essential and advocated for industry-wide standards like RCS for messaging. She noted the need for strong interoperability across systems. Mr. Richberg agreed, emphasizing that security should be embedded by design rather than relying on consumers to manage their own security.

• Rep.Lee asked about the importance of auditing systems and transitioning from legacy technology. Dr. Mukkamala explained that understanding existing systems is critical, as audits often reveal vulnerabilities in legacy software that expose organizations to threats. He emphasized that many entities lack resources for regular assessments, making continuous monitoring essential. Addressing vulnerabilities requires identifying coding errors and prioritizing weaknesses based on criticality, with AI playing a key role in processing data and focusing efforts. For resilience, Dr. Mukkamala stressed the importance of comprehensive data backups and redundancy, particularly for critical systems like Medicaid, to ensure recovery and continuity during incidents.

• Rep. McIver asked how Secure by Design could address challenges faced by small municipalities and under-resourced entities. Mr. Richberg noted that Secure by Design shifts the security burden from consumers to vendors, which is crucial for under-resourced organizations. He pointed to the FDA’s progress with medical devices as an example. Mr. Fry argued for state and federal funding to help small municipalities update their systems and manage existing vulnerabilities. Dr. Mukkamala advocated for programs like E-Rate to fund cybersecurity in public schools and highlighted the importance of understanding existing vulnerabilities and regularly backing up critical data. Ms. Adkins: Adkins called for better procurement processes to enable access to modern, secure systems, ultimately reducing vulnerability to ransomware.

ADD TO THE NIMITZ NETWORK

Know someone else who would enjoy our updates? Feel free to forward them this email and have them subscribe here.