The US government has passed a Bill that would forbid the Department of Defense (DoD) from procuring any software applications that contained a single security vulnerability.
It marks the first step in codifying the government’s approach to procuring secure-by-design software at the federal level and represents the next development in the Biden administration’s push for a more cyber-secure nation.
The US heightened its focus on cyber security last year after falling to attacks such as the Colonial Pipeline hack and the SolarWinds Orion breach the year before that, the latter of which impacted the US Treasury and Commerce.
At the time, the Russia-linked SolarWinds incident was described as the most ‘sophisticated attack in history’ and thrust the security of the software supply chain into the forefront of the government’s attention.
Section 6722 (e) of the H.R.7900 - National Defense Authorization Act for Fiscal Year 2023, which passed the House of Representatives on 28 July, stipulates that each item listed on a submitted software bill of materials (SBOM) must be free “from all known vulnerabilities or defects affecting the security of the end product or service”.
This includes any vulnerability currently identified and logged by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), and any database created with the help of CISA that tracks vulnerabilities in open source or third-party software.
However, it also states that software can be procured, provided that the vendor clearly enumerates and provides mitigation plans for all known vulnerabilities.
This concession widens the possible pool of software that is available to the DoD and explains why companies like Microsoft, of which the DoD is a major customer, can be working on a backlog of vulnerabilities that’s longer than six months in some cases - a possibility alleged by a former Microsoft-employed security expert.
The new approach to minimise the number of software vulnerabilities in newly procured DoD software will likely go hand-in-hand with the US’ application of a zero trust approach to cyber security at the federal level, per President Biden’s Executive Order 14028.
In it, the wording suggested that a device can be compromised but the resulting damage can be “contained” provided a zero trust approach is used.
The first-time codification of the approach was met with support from experts. Most who spoke to IT Pro said the premise of the Bill is strong and should help to strengthen the software supply chain, and that this clear approach is what’s needed.
“The model of getting certified that software is initially clear of defects, and that any future issues will be notified and fixed or mitigated, should be an obvious best practice,” said Paul Baird, chief technical security officer at Qualys to IT Pro.
“But putting everything in black and white makes it clear what is required. Every company should follow this model in future as SBOM become more popular.”
"This is extremely important, given the enormous attack surface represented by the US government and the increasing threat from nation-state and criminal hacking groups," added Casey Ellis, chairman, founder, and CTO at Bugcrowd.
There were others, however, who questioned the idea that software can be shipped entirely free of vulnerabilities, citing the number of external components that are often a source of security threats.
The trusted data centre and storage infrastructure
Invest in infrastructure modernisation to drive improved outcomes
Removing third-party dependencies and public libraries may also lead to a slower pace of development for software, said Chris Gould, chief consulting officer at cyber security firm Reliance acsn, speaking to IT Pro.
Gould also raised the argument that many of the threat actors that present a serious threat to the US national defences are likely to be nation-state hackers that use zero-day exploits rather than common vulnerabilities in their attacks.
However, recent attacks on the US government by state-sponsored hackers have shown that common vulnerabilities can still be used successfully in attacks on government networks.
China-linked APT41 hackers breached at least six US government networks in March by abusing the Log4Shell vulnerability in the Java logger log4j, as well as other exploits.
The incident shows how third-party dependencies must also be screened for flaws that could potentially lead to the theft of highly sensitive documents and data.
The Bill has been passed by the House of Representatives but needs to be approved by the Senate and the President before it can become law.
