Presidential Advisors Recommend Agencies Invest in Software Assurance Automation
Government entities should research artificial intelligence and machine learning to detect software security vulnerabilities, according to key representatives of the information and communications technology industry.
“The government should invest in research and development (R&D) in the field of software assurance to monitor the progress of computer architectures,” reads a draft report to be voted on Tuesday by the Presidential Advisory Committee on telecommunications for national security. Their meeting will include the participation of National Cyber Security Director Chris Inglis, Cyber Security and Infrastructure Security Agency Director Jen Easterly and National Security Council Cyber Security Policy Chief Jefferey Greene.
The draft report was prepared by a subcommittee that NSTAC formed on software security in May and which is made up primarily of representatives from major software and network companies and government contractors. The report incorporates contributions from subject matter experts from other companies, including IT management firm SolarWinds, where a successful attack late last year rocked the national debate on cybersecurity policy.
The report explores a lot of familiar ground with language echoing a May executive order that was largely in response to the SolarWinds attack. He speaks in high-level terms about the fact that purchasing managers encourage suppliers to follow best safety practices and prefer those who do. But he also recommends using flexible standards and creating another public-private group to explore incentives for developers to use appropriate security practices.
“The president is expected to establish a task force to define a public-private initiative focused on key areas of software assurance and the software supply chain,” the report said. “Like the previous public-private effort on [National Institute for Standards and Technology] Cyber Security Framework (CSF), such an initiative can address the fundamental misalignment of incentives, the diversity of insurance approaches and the complexity of the software supply chain. An effort of this nature can translate the urgent need for action into a workable framework.
The report also calls on an industry group from the Department of Homeland Security, which includes representatives from many of the same companies, to participate in the agency’s enforcement of guidelines tailored to particular industries under the executive order.
“Collaboration between government and the private sector will be important to scale up progress,” the draft report reads. “For example, DHS’s existing ICT Supply Chain Risk Management (SCRM) working group brings together security expertise from the information technology (IT) and communications sectors, as well as government agencies, providing a means to respond to any new sector-specific implementation guidelines. for the implementation of OE 14028.
On the research and development front, the report specifically mentions an effort by the Defense Advanced Research Projects Agency.
“Manual software vulnerability compliance checks are inefficient, error-prone and non-scalable,” the subcommittee wrote. “On the other hand, automated tools examine more security measures using less resource-intensive processes, with more consistent results, and ultimately at scale. Big code analysis processes, such as those under review by the Defense Advanced Research Projects Agency (DARPA), could result in automated tools that not only assess software assurance, but also utilize capabilities such as than probabilistic modeling to quantify the degree of confidence in the assessment. “
The full report also calls on the government to focus on identifying and supporting the security of open source libraries of code most often used in the creation of “critical software,” as defined by NIST in the executive order.