THE Network resilience Coalition issued recommendations intended to improve network security infrastructure by reducing vulnerabilities created by outdated and misconfigured software and hardware. NRC members, along with top U.S. government cybersecurity leaders, outlined the recommendations at an event in Washington, DC.
Established in July 2023 by the Center for Cybersecurity Policy and Law, the NRC seeks to align network operators and IT vendors to improve the cyber resilience of their products. Those of the NRC White paper includes recommendations to address secure software development and lifecycle management and embraces the development of secure-by-design and out-of-the-box products to improve software supply chain security.
NRC members include AT&T, Broadcom, BT Group, Cisco, Fortinet, Intel, Juniper Networks, Lumen Technologies, Palo Alto Networks, Verizon and VMware.
The group calls on all IT vendors to heed government warnings that threat actors nationwide have stepped up their efforts to attack critical infrastructure by exploiting hardware and software vulnerabilities that are not adequately protected, repaired or maintained.
Their recommendations are consistent with those of the Biden administration Executive Order 14208, which calls for modernized cybersecurity standards, including improved software supply chain security. They also match data from the Cybersecurity and Infrastructure Security Agency (CISA) Security by design and default guidance and the administration’s cybersecurity law enacted last year.
Eric Goldstein, CISA’s deputy executive director for cybersecurity, described the group’s formation and release of the whitepaper six months later as a surprising but welcome development. “Frankly, the idea even a few years ago of network providers, technology providers, [and] device manufacturers coming together and saying we need to do more collectively to advance the cybersecurity of the product ecosystem would have been a foreign concept,” Goldstein said during the NRC event. “It would have been anathema.”
Embracing SSDF and NIST’s OASIS Open EoX
The NRC encourages vendors to map their software development methodologies to those of NIST Secure Software Development Framework (SSDF), specifying how long they will support and release patches. Additionally, vendors should release security patches separately rather than bundling them with feature updates. At the same time, customers should give weight to vendors who have committed to releasing critical patches separately and complying with the SSDF.
Additionally, the NRC recommends vendor support OpenEoXan effort launched in September 2023 by OASIS to standardize how suppliers identify risks and communicate end-of-life details in a machine-readable format for every product they release.
Governments around the world are trying to determine how to make their overall economies more stable, resilient and secure, said Matt Fussa, Cisco’s chief trust officer. “All companies, I believe, work closely with CISA and the U.S. government as a whole to promote best practices such as producing invoices and software materials, engaging in and implementing secure software development practices,” Fussa said during this week’s NRC press event.
Initiatives to increase software transparency, create safer building environments and support software development processes will result in greater security that goes beyond just critical infrastructure, Fussa added. “There will be a spillover effect outside of government as these things become norms in the industry,” she said.
During a media Q&A held immediately after the briefing, Cisco’s Fussa acknowledged that vendors have been slow to comply with executive orders for issuing SBOMs or self-certifying open source and third-party components in their offers. “One of the things that surprised us was that once we were ready to produce them, it wasn’t really crickets, but it was a lower volume than we would have expected,” she said. “I think over time, as people get comfortable with how to use them, we’ll see it increase and eventually become common.”
Immediate action is recommended
Fussa urges stakeholders to immediately begin adopting the practices outlined in the new report. “I encourage all of you to think about doing this with urgency, implementing SSDF with urgency, building and delivering SBOM to your customers with a sense of urgency, and frankly, promoting security with a sense of urgency, because threat actors don’t they are waiting, and actively seeking new opportunities to exploit against all of our networks.”
As an industry consortium, the NRC can only incentivize its members to follow its recommendations. But since the White Paper is in line with the Executive Order and the National Cyber Security Strategy released by the White House last year, Fussa believes adhering to it will prepare marketers for the inevitable. “I will make a prediction that many of the suggestions you see in this document will be legal requirements, both in Europe and in the United States,” she added.
Jordan LaRose, global practice director for infrastructure security at NCC Group, says having ONCD and CISA behind the consortium effort is noteworthy support. But after reading the document, he didn’t believe he was offering information that wasn’t already available.
“This white paper isn’t very detailed,” says LaRose. “It doesn’t paint a whole picture. It references the NIST SSDF, but I imagine the question most people will ask is: do they need to read this whitepaper when they could just go and read the NIST SSDF.
However, LaRose points out that this highlights the need for stakeholders to grapple with the potential requirements and liabilities they face if they do not develop safe-by-design processes and implement recommended end-of-life models.
Carl Windsor, senior vice president of technology and product solutions at Fortinet, said any effort to build security into products from day one is critical. Windsor said he was particularly encouraged that the report included SSDF and other work from NIST and CISA. “If we build our products from day one, aligning them with NIST standards, we will be 90 to 95 percent of the way there with all the other standards that are emerging around the world,” he said.