Closing software-understanding gap is critical to national security, CISA says
With Chinese-sponsored hackers lingering in the IT systems of various U.S. critical infrastructure networks, potentially imminent threats to the country’s national security abound. The Cybersecurity and Infrastructure Security Agency and federal partners hope to lessen that threat by closing a so-called “software understanding gap.”
In a document released Thursday with the Defense Advanced Research Projects Agency, the Office of the Under Secretary of Defense for Research and Engineering and the National Security Agency, CISA said “decisive and coordinated” government action is needed to get a more comprehensive understanding of software-controlled systems.
Those systems, CISA said, must be properly assessed to “verify functionality, safety, and security across all conditions.”
Chris Butera, technical director at CISA, said in a statement that the current software understanding gap “exacerbates” national security risks posed by state-sponsored activity in U.S. critical infrastructure — particularly in energy, transportation, telecom, and water and wastewater systems.
“Mission owners and operators have an enormous and accelerating dependence on the software underwriting U.S. critical infrastructure,” Butera said. “With our partners, we urge the USG to close this gap before other nations and urge software manufactures [sic] to align to Secure by Design principles.”
The report argues that U.S. security interests are undercut due to a “disparity of technical investment,” defined by CISA as an investment in software production that outpaces investment in improved software understanding. This decades-long trend in the country has made it especially vulnerable to “strategic competitors,” most notably China.
China “has achieved an elevated position through decisive national policy and sustained, multi-pronged investments in technology over the last decade to close their technology gap, enhancing not only their defensive capabilities but also their offensive capabilities to manipulate software and exploit vulnerabilities,” the report stated.
China, CISA noted, “has a robust policy and legal regime to reduce its dependency on foreign software that comprises its supply chain.” And Russia, meanwhile, has reportedly “demanded access to software details in exchange for access to its markets.”
The report’s recognition of these issues isn’t the federal government’s first salvo in the fight against the software-understanding gap. CISA noted several ongoing federal efforts aimed at fixing the issue, including a joint National Science Foundation and Department of Energy initiative, several DARPA programs that leverage “mathematically provable methods” to support software understanding and the cyber agency’s own secure-by-design initiative.
“We have the tools today to greatly reduce the number of software vulnerabilities that plague our software infrastructure,” Kathleen Fisher, director of DARPA’s Information Innovation Office, said in a statement. “Rapid action to implement these tools in legacy and future systems can dramatically reduce the United States’ cyber vulnerabilities ahead of future global conflicts.”
The report offered a variety of additional technical and policy solutions to build on current efforts; changes to technology procurement and broad recognition of the evolving nature threat environments were among the suggestions.
Additional callouts were made in the report for expanded federal research and engineering investments aimed at creating “the foundations for a unified set of software understanding capabilities,” public-private partnerships to explore cost-effective solutions, brokering international partnerships, and developing talent pipelines.
“By closing the gap before other nations and obtaining a deep, scalable understanding of software-controlled systems, including AI-based systems, the United States will secure an advantage in geopolitics for the foreseeable future,” the report said, “and will help harden U.S. critical infrastructure against state-sponsored activity.”
