Remarks of David J. Redl
Assistant Secretary of Commerce for Communications and Information
Meeting of a Multistakeholder Process on Software Component Transparency
July 19, 2018
Thank you to those of you here in the room and on the phone for joining us today. The turnout and the responses we’ve received from stakeholders so far are certainly an encouraging sign on the potential of this process.
As most of you know, NTIA is the executive branch agency within the Commerce Department that is principally responsible for advising the president on telecommunications and information policy issues. Our main areas of focus include domestic and international Internet policy, expanding broadband access and the use of spectrum, and cutting-edge communications research. NTIA also has promoted the use of the multistakeholder model to help address a range of policy issues.
Today’s multistakeholder meeting begins a conversation to discuss software component transparency. This is the third cybersecurity-focused multistakeholder engagement convened by NTIA. Our prior initiatives dealt with coordinated vulnerability disclosure and the security updateability of IoT devices. Those issues, and the topic we will tackle today, have a few common themes.
First, they acknowledge that our digital systems will never be perfect. There are countless efforts across the government and the private sector to improve security, but for the foreseeable future, some vulnerabilities will continue to exist. NTIA’s work has focused on increasing our resilience in the face of a constantly evolving risk environment.
Second, we’ve tried to be timely, and take on issues where building quick expert-level consensus on a rapidly emerging risk can make a significant difference. Our multistakeholder processes are designed to be agile and enable a community to more quickly find common ground. Compared with typical regulatory or legislative solutions, the multistakeholder model can more nimbly address emerging technological issues.
Third, we know that not every participant will agree with one another, but avoiding contentious issues will not lead to progress. The power of the multistakeholder proceeding is the expressing of differing perspectives, which ultimately helps identify areas of overlapping interest. And that is where the sweet spot of consensus begins to emerge.
These processes can appear restless, or even fractured, but as we listen to one another – which I know you will all do – we will begin to understand one another. Once we find the common good that rises above the various proprietary interests, we will begin to make progress. Our room here at the AIA is particularly well suited to this purpose because it encourages conversation. And for those participating remotely, we’re going to work very hard to make sure your voice can be heard.
We are very lucky to have a number of different sectors represented here today: software vendors, telecom providers, health care, finance, auto, medical device manufacturers, information security experts, and civil society. This diversity can add complexity, but in this age of connectivity it is only through this type of collaboration and cross sector partnership that effective, harmonized solutions will emerge. There is real power in understanding the commons challenges we face.
The idea we’re taking on – software component transparency -- is not new; it’s one that has taken a number of different forms in different industries. Tracking what third party code is used in software products is a well-understood best practice—although one that not every vendor follows. Many of you are here to talk about the potential benefits of sharing this data, or want to explore how to ask for it. Some of you want to highlight the potential costs or complexities of transparency. Others are already on the way to doing it, and are interested in exploring what existing standards, formats, and practices we can use.
Today, we would like to hear your perspectives on the potential - and the challenges - of software component transparency. Let’s begin the conversation with the potential: What problem can we solve? How can this improve security? From there, we can pivot to potential pitfalls and then identify the real challenges in generating this data, securely sharing it, and effectively using it.
As I’ve said, these processes are designed to be flexible. You will do the molding. You will define the scope of this process around what meets your needs. We at NTIA are here to help guide the process. Hopefully, over the coming months, we can help you achieve some consensus around some aspects of software component transparency. You should also think of the outcome of this process not as an end, but a beginning, as other organizations build on your work and integrate it into other efforts.
The goal is to catalyze change.
For today’s meeting, we’re looking for you to identify goals and create internal structures that will make this process more manageable, such as drafting committees or working groups. The goals and organization can evolve over time, but this will be a useful starting point. The group will also need to identify the location and frequency of future meetings. We have a potential schedule that we can share, but this will be up to you.
Our ultimate objective is to drive the creation of industry-led, market-based cybersecurity solutions that foster a trustworthy and resilient ecosystem. That’s something that I think we can all agree on. Identifying what to do, and finding consensus on how to do it—that’s the hard part. We feel these conversations function best when the right experts are in the room willing to work towards solutions that reflect the needs of the broader community, so I already think we’re on the right track.
I know there is much to talk about, so I’ll stop here and let you get to work. Thank you.