What makes 'critical software' critical?
Let's get serious about cybersecurity.
That was the unvarnished message delivered by the Biden administration in May, when officials unveiled an Executive Order designed to "chart a new course to improve the nation's cybersecurity and protect federal government networks." The order wasn't the usual lip service about the importance of computer security but rather was intended as a wake-up call to industry about the need for new safeguards.
The government briefing mentioned recent high-profile attacks against important physical infrastructure and Internet security services. As the official running the briefing noted at the time, we now find ourselves under "constant, sophisticated, and malicious attack—[ranging] from nation-state adversaries to run-of-the-mill criminals."
Executive Order 14028 is more than 8,000 words in length and runs the gamut from requiring threat and incident information to be shared among competitors to mandating implementation of zero trust architectures across all government agencies.
One of the most talked-about components of the order involves a mandate to "enhance the security of the software supply chain," which includes developing plans to lock down what the order calls critical software. The catch: At the time of the order's release, no one really knew what critical software was, much less how to protect it.
What is critical software, anyway?
The Executive Order did spell out a strategy to get to that definition, however, giving the secretary of commerce 45 days to formally define critical software. In June, the National Institute of Standards and Technology (NIST) released a formal definition, another 3,300 words of dense material that lays out some new ground rules.
Please read: Zero trust makes business secure by default
As part of that, NIST defines critical software as any software that has any one of the following characteristics (or has dependencies upon any device with one of these characteristics):
Is designed to run with elevated privilege or manage privileges;
Has direct or privileged access to networking or computing resources;
Is designed to control access to data or operational technology;
Performs a function critical to trust; or
Operates outside of normal trust boundaries with privileged access.
Drilling down further, NIST details a variety of specific categories of software that the definition applies to, including identity and access management systems, operating systems (real or virtual), web browsers, security software, various network and operations management systems, remote access tools, and backup utilities. The list is so exhaustive, observers say it would be hard to imagine a piece of software today that is not "critical" under the definition.
In any event, the next deadline is in November, when guidelines on how to specifically enhance these critical software tools are set to be published. Pilot security programs developed under the guidelines are expected to be implemented in February 2022.
Preparing for doomsday
Until that time, technology providers are preparing themselves for what is certain to be a mad scramble to secure systems that are sold to and used by government agencies. How complex will it be to turn critical software into software that operates safely?
"This whole idea of criticality is that, whether it's hardware or software or data, it's required to be able to recover from a malware attack," says Tom Laffey, a distinguished technologist at Aruba, a Hewlett Packard Enterprise company, and noted expert in the development of secure computing systems.
Laffey lays out a simplified scenario as an example: Imagine a device with boot firmware, like a PC. Under a critical software scenario, that firmware would include routines that continually authenticate the firmware, and should something turn out to be amiss due to a hacking attempt or other type of corruption, it can initiate a recovery operation—preferably automatically—that reverts the firmware to a known good version. "There will be some mechanism that basically says, 'I know that whatever I was normally going to boot is not trusted any longer, so I'm going to get a new load,'" Laffey explains.
"The intention of the people who wrote this is to make it automated," he says. That's a key point when you're talking about the thousands or millions of systems that can comprise key infrastructure networks. If each of those component systems becomes infected, remediation can quickly become a nightmare, as was the case when the nation of Estonia, including everything from its banking services to broadcasting capabilities, was brought to a standstill in 2007 during weeks of what appeared to be state-sponsored attacks brought on by a local political decision involving the relocation of a statue. If such critical systems can be redesigned to revert to a trusted state without human intervention after an exploit is detected, even massive attacks like that in Estonia could theoretically be staved off with relative ease.
The road to secure computing
But putting that into practice won't be easy, which is why the mandate to protect critical systems is being pushed from government agencies to the providers of the software and services they use.
"The idea isn't that the enterprises lock the software down," says Dan Desko, CEO of Echelon Cyber, a cybersecurity risk advisory. "It is more about holding the software providers accountable for producing products that are error free and that their code base is adequately protected from breach and implants." In other words, force software and hardware developers to design protections into their products, and the end user has a lot less to worry about.
Laffey says an ecosystem for protecting critical software has been developing for years, but most perceive it as remaining mired in the research stage, perhaps because of the lack of any real mandate to bring the concept into production. That changes with the Executive Order. "I think across the industry we now see more people understanding what this is for and why people want it," he says, pointing to the availability of technologies that can now authenticate a variety of hardware, software, and firmware devices.
Bringing critical system security to the masses
While the Executive Order covers only government systems, it probably won't be long before the mandate trickles down to enterprises. Corporate America uses the same cloud computing services, telco networks, and computer operating systems that the government does, so whether they demand it or not, businesses that have no connection to government at all are likely to implement such security technologies in the near future as well.
"If security can enable the generation of more business or can improve businesses, then it should be introduced," says Uri Bar-El, head of the cybersecurity practice at Qualitest, a software assurance and testing company. As such, it likely makes sense for all hardware and software developers to begin taking steps to implement trusted computing technologies into their products, whether they are perceived as critical or not. Eventually, such security routines may become a minimum business requirement for tech companies that market to government, businesses, or consumers.
In addition to technology infrastructure providers like telcos and broadband services, financial services, healthcare, and utility organizations will likely be among the first to roll out these security tools, since disruption of their services can have a devastating human impact.
And Microsoft is already getting in on the game, confirming reports that Windows 11, which arrives in October, will include Secure Boot routines that will not be bypassable. That will likely mean outlays for new hardware in many corners, as the new operating system will run only on recent model processors, released after 2017.
But at the consumer level, protecting PCs is just the first step, warns Laffey. "You've got home routers, smart TVs, and cameras that are used for security—things that have been compromised in the past," he notes. "This type of protection has to go into those kinds of devices as well. And that could take a while."
"...the federal government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software."
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.