More Light Shines On Open Source Software’s Security Problems (Free Version)

Subscribe today for all the paywalled material on The Wavelength, a newsletter on the intersection of tech politics, policy, and law.

Here is the free preview of The Wavelength.

A committee examined the problems posed by the fact that much of the digital world is built on open source software. In the wake of the SolarWinds and Log4j hacks that occurred in large part because of weaknesses in open source software, the United States (U.S.) government has been grappling with how to drive better security in software development. However, open source software that is developed by many experts has many advantages, not least of which is the fact that developers can use open source software as building blocks for new software and applications. However, the widespread availability of this software makes it vulnerable to tampering and security problems. And so, U.S. policymakers have a tough problem to solve, but they have multiple efforts to do so.

The government responses that followed the SolarWinds and Log4j hacks are not the first to delve into open source software. Starting in 2018, the U.S. National Telecommunications and Information Administration (NTIA) convened “a multistakeholder process to develop greater transparency of software components for better security across the digital ecosystem” and explained in their first notice about the effort:

Most modern software is not written completely from scratch, but includes existing components, modules, and libraries from the open source and commercial software world. Modern development practices such as code reuse, and a dynamic IT marketplace with acquisitions and mergers, make it challenging to track the use of software components. The Internet of Things compounds this phenomenon, as new organizations, enterprises and innovators take on the role of software developer to add “smart” features or connectivity to their products. While the majority of libraries and components do not have known vulnerabilities, many do, and the sheer quantity of software means that some software products ship with vulnerable or out-of-date components. Many technical solutions to aid in this have already been developed by industry and the standards community.

The current administration has accelerated efforts to address software vulnerabilities. In May 2021, President Joe Biden signed Executive Order 14028 “Improving the Nation's Cybersecurity” and tasked the National Institute of Standards and Technology (NIST) with directives regarding software supply chains, software bill of materials, and open source software. Indeed, in Section 4, the President stated the reasons why these policy areas are crucial:

The security of software used by the Federal Government is vital to the Federal Government's ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended. The security and integrity of “critical software”—software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)—is a particular concern. Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.

NIST detailed the tasks it has completed under EO 14028:

§  NIST consulted with the National Security Agency (NSA), Office of Management and Budget (OMB), Cybersecurity & Infrastructure Security Agency (CISA), and the Director of National Intelligence (DNI) and then defined “critical software” by June 26, 2021.

§  NIST published guidance outlining security measures for critical software by July 11, 2021, after consulting with CISA and OMB. By that same date, after consulting with the NSA, NIST published guidelines recommending minimum standards for vendors’ testing of their software source code.

§  NIST issued preliminary guidelines by November 8, 2021, based on stakeholder input and existing documents, for enhancing software supply chain security.

§  After consulting heads of various agencies by February 6, 2022, NIST issued additional guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria.

§  Regarding cybersecurity labeling for consumers, by February 6, 2022, NIST identified:

o   IoT cybersecurity criteria for a consumer labeling program and

o   Secure software development criteria for a consumer software labeling program.

§  NIST issued additional information about its software supply chain guidance plans, including review and update procedures, by May 8, 2022.

And, here are developments and articles from last month. Being subscribed would mean getting these in a more timely fashion.

Other Developments

The United States (U.S.) Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, National Security Agency, Australian Cyber Security Centre, Canadian Centre for Cyber Security, New Zealand's National Cyber Security Centre, the United Kingdom's National Cyber Security Centre, and the United Kingdom's National Crime Agency issued a joint Cybersecurity Advisory (CSA) “to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity…[that] may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.”

The United States (U.S.) Department of Commerce announced “the appointment of 27 experts to the National Artificial Intelligence Advisory Committee (NAIAC), which will advise the President and the National AI Initiative Office on a range of issues related to artificial intelligence (AI).”

The European Data Protection Supervisor (EDPS) published its Annual Report 2021 that “highlights the EDPS’ achievements regarding European Union institutions’ (EU institutions) compliance with the data protection framework…[and] underscores the EDPS’ increasing role in advocating for the respect of privacy and data protection in EU legislation.”

Canada, Japan, South Korea, the Philippines, Singapore, Taiwan, and the United States established “a Global Cross-Border Privacy Rules Forum to promote interoperability and help bridge different regulatory approaches to data protection and privacy” and released FAQs.

United States Representative Ted Lieu (D-CA) introduced legislation, the “Warrant for Metadata Act,” “to require governmental entities to obtain a warrant before requesting that an electronic communications provider disclose a customer’s metadata, often referred to as data that describes other data.”

Virginia Governor Glenn Youngkin (R) signed SB 741 that “[a]uthorizes local law-enforcement agencies, campus police departments, and the Department of State Police (the Department) to use facial recognition technology for certain authorized uses,” which the Virginia chapter of the American Civil Liberties Union (ACLU) characterized as “a controversial bill that would lift the ban on the use of facial recognition technology without a warrant by local law enforcement agencies.”

The Joint Committee of the European Supervisory Authorities (ESAs) – EBA, EIOPA and ESMA – published “its 2021 Annual Report, providing a detailed account of its joint work completed over the past year.” The ESAs stated that “[t]he main areas of cross-sectoral focus continued to be joint risk assessment, enhancement of consumer protection, development of the regulatory and supervisory frameworks for sustainable finance and securitisation…[and] monitoring and contributing to the digital finance developments, supporting FinTech scale up through innovation hubs and sandboxes as well as cyber security completed the work programme.”

The United States (U.S.) Cybersecurity and Infrastructure Security Agency announced “the expansion of the Joint Cyber Defense Collaborative (JCDC) to include Industrial Control Systems (ICS) experts—security vendors, integrators, and distributors—to further increase U.S. government focus on the cybersecurity and resilience of industrial control systems and operational technology (ICS/OT)…[including] Bechtel, Claroty, Dragos, GE, Honeywell, Nozomi Networks, Schneider Electric, Schweitzer Engineering Laboratories, Siemens, and Xylem, as well as several JCDC Alliance partners.”

The United States (U.S.) National Telecommunications and Information Administration “is requesting comments on competition in the mobile application ecosystem.” NTIA stated that “[t]he data gathered through this process will be used to inform the Biden-Harris Administration's competition agenda, including, but not limited to, the Department of Commerce's work developing a report to submit to the Chair of the White House Competition Council regarding the mobile application ecosystem.”

United States (U.S.) Representative Tony Cárdenas (D-CA) and U.S. Senators Ben Ray Luján (D-NM), Bob Menendez (D-NJ) and Amy Klobuchar (D-MN) “led 17 of their colleagues in sending a letter urging Mark Zuckerberg, CEO of Meta, formerly Facebook, to increase platform moderation of Spanish-language disinformation on the war in Ukraine from Russian-owned media outlets.”

Tweet of the Day

Further Reading

“Apple to roll out child safety feature that scans messages for nudity to UK iPhones” By Alex Hern — The Guardian

“Meta’s Sheryl Sandberg Pressured Daily Mail to Drop Bobby Kotick Reporting” By Ben Fritz, Keach Hagey, Kirsten Grind, and Emily Glazer — Wall Street Journal

“The gig workers fighting back against the algorithms” By Karen Hao and Nadine Freischlad — MIT Technology Review

“Hackers Claim to Target Russian Institutions in Barrage of Cyberattacks and Leaks” By Kate Conger and David E. Sanger — New York Times

“American Phone-Tracking Firm Demo’d Surveillance Powers by Spying on CIA and NSA” By Sam Biddle and Jack Poulson — The Intercept

“Obama says tech companies have made democracy more vulnerable” By Elizabeth Dwoskin and Eugene Scott — Washington Post

“Companies lose your data and then nothing happens” By Emily Stewart — Vox

“Locked-down, Shanghai residents skirt censorship to vent online” By Pranshu Verma — Washington Post

“As Europe Approves New Tech Laws, the U.S. Falls Further Behind” By Cecilia Kang — New York Times

“US DOJ probes Google's $5.4b Mandiant acquisition” By Jeff Burt — The Register

“Corporate Repair Initiatives Don’t Replace the Need for Right-to-Repair Laws” By Matthew Gault — Vice