Source: Olivier Le Moal via Alamy Stock Photo
The Network Resilience Coalition issued recommendations intended to improve network security infrastructure by reducing vulnerabilities created by outdated and improperly configured software and hardware. NRC members, joined by top US government cybersecurity leaders, outlined the recommendations at an event in Washington, DC.
Established in July 2023 by the Center for Cybersecurity Policy and Law, the NRC seeks to align network operators and IT vendors to improve the cyber resilience of their products. The NRC’s whitepaper includes recommendations for addressing secure software development and lifecycle management, and embraces secure-by-design and default product development for improving software supply chain security.
NRC's members include AT&T, Broadcom, BT Group, Cisco, Fortinet, Intel, Juniper Networks, Lumen Technologies, Palo Alto Networks, Verizon, and VMware.
The group is calling on all IT vendors to heed government warnings that nation-state threat actors have stepped up their efforts to attack critical infrastructure by exploiting hardware and software vulnerabilities not adequately secured, patched, or maintained.
Their recommendations are consistent with the Biden Administration’s Executive Order 14208, calling for modernized cybersecurity standards, including improved software supply chain security. They also map to the Cybersecurity and Infrastructure Security Agency’s (CISA) Security-by-Design and Default guidance and to the administration’s Cyber Security Act issued last year.
CISA executive assistant director for cybersecurity Eric Goldstein described the formation of the group and the release of the whitepaper six months later as a surprising but welcome development. “Frankly, the idea even a few years ago of networking providers, technology providers, [and] device manufacturers coming together and saying we need to do more collectively to advance the cybersecurity of the product ecosystem would have been a foreign concept,” Goldstein said during the NRC event. “It would have been anathema.”
Embracing NIST’s SSDF and OASIS Open EoX
The NRC is calling on vendors to map their software development methodologies with NIST’s Secure Software Development Framework (SSDF), while detailing how long they will support and release patches. Also, vendors should release security patches separately rather than bundling them with feature updates. At the same time, customers should give weight to vendors that have committed to issuing critical patches separately and conform to the SSDF.
Further, the NRC recommends that vendors support OpenEoX, an effort launched in September 2023 by OASIS to standardize how providers identify risk and communicate end-of-life details in a machine-readable format for every product they release.
Governments worldwide are trying to determine how to make their overall economies more stable, resilient, and secure, said Cisco chief trust officer Matt Fussa. “All companies, I think, are closely partnered with CISA and the US government as a whole to drive best practices like producing software bills and materials, engaging in and deploying secure software development practices,” Fussa said during this week’s NRC press event.
Initiatives to boost transparency in software, establish more secure build environments, and shore up software development processes will result in improved security beyond just critical infrastructure, Fussa added. “There will be a spillover effect outside the government as those things become norms in the industry,” he said.
During a media Q&A held immediately following the briefing, Cisco’s Fussa acknowledged that vendors have been slow to comply with the executive orders for issuing SBOMs or self-attestation of the open-source and third-party components in their offerings. “One of the things we were surprised by was that once we were ready to produce them — it wasn't quite crickets, but it was lower volume than we might have expected,” he said. “I think over time, as people were comfortable with how to use them, we'll see that pick up and eventually be common.”
Immediate Action Recommended
Fussa is urging stakeholders to start adopting practices outlined in the new report immediately. “I’d encourage you all to think about doing this with urgency, deploying SSDF with urgency, building and getting your customers SBOMs with a sense of urgency, and frankly driving security with a sense of urgency, because threat actors aren’t waiting, and they’re actively seeking new opportunities to exploit against all of our networks.”
As an industry consortium, the NRC can only go so far as incentivizing its members to follow its recommendations. But because the whitepaper aligns with the Executive Order and the National Cybersecurity Strategy released by the White House last year, Fussa believes adhering to it will prepare vendors for the inevitable. “I'll make a prediction that a lot of the suggestions that you see in this paper will be requirements under the law, both in Europe and in the US,” he added.
Jordan LaRose, global practice director for infrastructure security at NCC Group, says having ONCD and CISA behind the consortium’s effort is a noteworthy endorsement. But having read the paper, he didn’t believe it offered information that isn’t already available.
“This whitepaper is not super detailed,” LaRose says. “It doesn't outline an entire framework. It does reference NIST SSDF but I guess the question that most people will pose themselves is, do they need to read this whitepaper when they could just go and read the NIST SSDF.”
Nevertheless, LaRose notes that it underscores the need for stakeholders to come to terms with potential requirements and liabilities that they stand to face if they don’t develop secure-by-design processes and implement the recommended end-of-life models.
Carl Windsor, senior VP of product technology and solutions at Fortinet, said any effort to build security into the products from day one is critical. Windsor said he is especially encouraged that the report embraces SSDF and other work by NIST and CISA. “If we build our products from day one, aligning to the NIST standards, we’re 90 to 95% of the way with all of the other standards that are coming out there around the world,” he said.