Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

January 2019
A cybersecurity report from the outgoing leadership will surprise those who expected a bloated tome that was outdated on delivery.
By David Hechler
IN EARLY DECEMBER, just weeks before the House was set to come under Democratic control, the outgoing Republican majority that ran the House Energy and Commerce Committee released its long-awaited Cybersecurity Strategy Report . The staff had spent five years researching and writing it, and there were numerous references to old cyberattacks, beginning with the Target breach in 2013.
     So naturally it was a bloated partisan diatribe that was hundreds of pages long and woefully outdated from the moment it was released, right?
     If that’s what you feared, the surprises were all pleasant. It was none of those things. There was no partisan slant. Politics never entered into the report. The staff barely mentioned the subject of legislation.
     The final product was only 23 pages long, including the table of contents. There were no pages devoted to throwing, or receiving, bouquets. In fact, no committee members or staff were even named. It was all substance and no fluff.
     The credit goes to the Oversight and Investigations Subcommittee staff, which did an enormous amount of work. Its conclusions were drawn from dozens of briefings, hearings, roundtables, white papers and letters.
     The final report focused on the big picture. There was nothing shocking, nor did it lay out hugely ambitious (and unattainable) solutions. Instead it delivered a solid and realistic analysis of where we are and what challenges lie ahead.
     But it didn’t stop there. It included a list of “priorities” that the country needs to focus on to strengthen the state of cybersecurity. And the subcommittee did more than simply identify the work that needs to be done; it attempted to implement the policies it advocated.
    All told, it was both upbeat and grounded in reality—a difficult combination in this field. And it presented the equivalent of New Year’s resolutions that were already in progress.

The Subcommittee’s Priorities
These are the six related priorities that the subcommittee established:
1. The widespread adoption of coordinated disclosure programs.
2. The implementation of software bills of materials across connected technologies.
3. The support and stability of the open-source software ecosystem.
4. The health of the common vulnerabilities and exposures (CVE) program.
5. The implementation of supported lifetimes strategies for technologies.
6. The strengthening of the public-private partnership model.

     The subcommittee’s work on the first item, coordinated disclosure, was prompted by cyberattacks on medical devices and automobiles that endangered lives. In 2015, the staff arranged a roundtable discussion with representatives from the private sector. This led to a conversation in 2016 on how to improve coordinated disclosure practices and a second roundtable the following year. Then, in January 2018, the committee joined the conversations about Spectre and Meltdown, which exploited vulnerabilities in computer processors that allowed malware to steal sensitive information.
     The challenges in this area were the need to quickly disclose vulnerabilities to the public, balanced against the time required to test and make available patches to fix problems. There was also discussion about the importance of using and coordinating terminology precisely in public communications. In a white paper published in October, the committee recommended that Congress clarify and codify the procedures that organizations can and should follow.
     The WannaCry malware attack in 2017 exposed another vulnerability. You can only patch flaws you’re aware of. And the health care industry was particularly hard-hit by WannaCry because medical technologies are often a “black box.”
     The solution, proposed by a health care task force, was for medical device manufacturers to include a “software bill of materials” along with their products so that organizations could anticipate and respond to threats and vulnerabilities. The subcommittee convened a roundtable in 2017, and then encouraged the U.S. Department of Health and Human Services to play a leading role, which it has done.
     Another critical vulnerability that the committee focused on was open-source software (OSS). More and more organizations have come to depend on open source—so much so, the committee argued, that it could be said that “software is no longer written, but assembled.” The problem is that though OSS is shared widely, responsibility for its security is not.
     In a letter to the Linux Foundation, which leads an organization that works for the health and stability of the software, the committee suggested that “the sustainability and stability of the OSS ecosystem is essential to the sustainability and stability of organizations’ cybersecurity generally.” 
     In response, Linux agreed, adding that “it is the collective responsibility—and imperative—for business, industry, academic and technology leaders to work together to ensure that OSS is written, maintained and deployed as securely as possible.”  
     Another building block of the cybersecurity infrastructure is the common vulnerabilities and exposures (CVE) program. A big part of it is the standardized naming scheme for cybersecurity vulnerabilities. But given the explosion of cybersecurity incidents in the past few years, it’s been hard to catalogue them all.
    In 2016, reports revealed that the Department of Homeland Security and the nonprofit security contractor MITRE, which together have overseen CVE, had not been able to keep up. Consequently, the common cybersecurity language the industry depended on was falling behind.
     The committee recommended that DHS “transition the CVE program to a dedicated Program, Project, or Activity funding model, and that DHS and Mitre should perform biennial reviews of the CVE program to ensure its effectiveness and stability.”
    The final priority that involved software focused on the limited lifetime of this technology. Flaws and vulnerabilities mount and, as tech companies push out new products, they stop supporting the old ones. Companies can be left in the lurch.
     The committee had ideas. It wondered: “Should organizations move to a technology-leasing model, rather than a purchasing model, so that manufacturers may swap old, vulnerable technologies with new, more secure ones with greater ease?” In conclusion, the committee noted that these questions “require careful but prompt consideration.”

Learning to Cooperate
The first five priorities led inexorably to the last. “A common thread running through each,” the subcommittee wrote, “is that all require collaboration between diverse and at times competing stakeholders whose technologies and networks are all inextricably linked.”
     Like it or not, cybersecurity depends on cooperation, the committee asserted. Given the nature of the internet, there’s no way around it.
     “Today, diplomatic and military secrets transit the same networks as social media posts and viral videos,” they wrote. “Exacerbating the situation further, many of these connected critical infrastructure components are owned and operated by the private sector, which makes public-private partnership in cybersecurity more than just a catchphrase, but essential; without it, many cybersecurity strategies fail altogether.”
     Everyone won’t agree that these six are the most important priorities to guide the country. But the committee has made a pretty good case for its choices—especially the last.
     It’s time the public and private sectors learned to work together. Maybe they need to seal the deal with a New Year’s resolution.