Remarks of Diane Rinaldo
Deputy Assistant Secretary of Commerce for Communications and Information
OECD Global Forum on Digital Security for Prosperity
December 13, 2018
-- As Prepared for Delivery --
It’s a pleasure to be here at this inaugural Global Forum on Digital Security for Prosperity.
Our session today is focusing on “security by design.” If you’re involved in the technical aspects of securing digital systems, you might find it strange to hear policy guidance that calls for security by design.
There are many obstacles to security, but none of them will be overcome simply by saying “don’t forget to add security!”
We need to understand the obstacles to a secure marketplace, and then devise a way to overcome those obstacles. I want to share with you today work that NTIA has been doing to make progress in this area.
Let’s start with what is in the market today, and what we can do in the short run. Any vision for a more secure ecosystem can’t just rest on the actions of future designers and engineers following as-yet unspecified standard. Many risks lie in the technology we have deployed today.
Identifying and fixing vulnerabilities
We are working to lay the foundation for a longer-term, more secure vision by working with industry to set expectations, and back them up with the relevant tools. Government can play a key role in helping an organization know what to do the first time someone knocks on their door and says, “Your technology is vulnerable.”
We started with an assumption that, even with the best efforts, vulnerabilities will still exist in the complex digital systems that drive the digital economy. Luckily, there are a number of security researchers with the skills to find vulnerabilities who are willing to help us defend against them.
In 2015, NTIA convened a multistakeholder initiative on how to bring together hackers who want to help with defenses, and those who make and maintain the systems on which we all depend. I know that experts in a separate panel will explore vulnerability disclosure in greater depth, but I do want to flag some of the outcomes in this process.
Stakeholders acknowledged the importance of direct collaboration between researchers and system owners. To help an organization understand more about working with security researchers, stakeholders drafted an “early stage” template for a Vulnerability Disclosure Policy.
This template--created with the perspective of researchers, vendors and lawyers--has been used as a model and, in some cases fully adopted, by a large number of companies in a range of different sectors. If we’re assuming that vulnerabilities will exist in emerging technologies like IoT, then we need to make sure that we can fix them.
Patching is critical. It took us 20 years to understand patching in the desktop software space. We don’t have that kind of time for IoT. Given the sense of urgency, NTIA recently convened security experts and IoT vendors to discuss patching with the goal of creating a shared set of expectations across the ecosystem.
One output of this mutlistakeholder process was a short technical summary of what constitutes a security update, establishing a common definition and how to secure each step. Another outcome, aimed at a policy and business audience, offered advice about communicating “patchability” at time of purchase.
We think this kind of work can form the foundation of broader security baselines. Our efforts were focused on making sure that the ecosystem can continue working despite the presence of vulnerabilities.
The next step towards a more secure marketplace is better transparency. The more we know about what is in our systems, the better we will be able to make decisions about risk, and handle existing and emerging threats.
Securing the supply chain of our IT and communications world is a top priority for this Administration. At a high level, it is about avoiding certain obvious risks, and not introducing technology from suspect origins or practices into critical systems. We are also working to push transparency across the digital ecosystem to help organizations make better decisions to reduce cybersecurity risks and incidents.
This summer, we launched a new initiative on “Software Component Transparency,” convening stakeholders to develop a shared vision of what many call a “software bill of materials.” In the modern software supply chain, lack of systemic transparency prevents organizations from understanding what they are purchasing, or discovering whether they are at risk from newly discovered vulnerabilities.
In this ongoing work, stakeholders are drafting definitions, documenting use cases, and reviewing standards and formats across a range of sectors and perspectives. If we land on a common solution that spans technical communities and specific markets, we can enhance incident response and vulnerability management, and support a more informed free market choice of goods.
These approaches to transparency can start to drive much needed market change in the short term to get to a more secure marketplace.
In the longer run, we think there is a real role for standards and certification. In the recently published Botnet Report that NTIA drafted with our agency partners, we call for the establishment of “[i]nternationally applicable IoT capability baselines supporting lifecycle security for home and industrial applications founded on voluntary, industry-driven international standards.”
The report emphasizes the importance of using “industry led, inclusive processes” to drive these baselines, which should be focused on performance and properties, rather than specific technology.
Fortunately, there has been a lot of progress towards this concept from industry and governments around the world. In the U.S., a number of industries have announced security baselines addressed specifically for their industry. Around the world, we’re seeing an emerging consensus around this approach, and even on the basics of what this baseline should look like, with similar lists from:
- The UK’s Department for Digital, Culture, Media & Sport
- ENISA’s 2017 recommendations
- Japan’s National Center of Incident Readiness and Strategy for Cybersecurity
Beyond the baseline, we may need to pursue more specific security standards and a testing and certification model to validate conformance. We should acknowledge that this process adds time, cost and complexity, so it should be tailored to the risks.
Moreover, traditional certification regimes are built around static risk. Cybersecurity risks constantly evolve; things that were certified as secure in the yesterday may well be insecure tomorrow. We need new mechanisms of governance, and new market mechanisms to capture this evolving risk.
To sum up, “security by design” is a critical aspiration. At NTIA, we have been working with industry to leverage existing forces towards a more secure ecosystem. We’ll begin to make progress once we have identified a clear pathway toward an adaptable, sustainable, and secure technology marketplace.
I look forward to hearing from the panel of how we can work together to make this vision a reality.