Savvy consumers have learned how to read the list of ingredients on food labels to make decisions about their own health and well-being. But there isn’t an analogous ‘label’ for what types of software and code have been used in a given computer or software system — or even an agreed process for developing such a label.

The National Telecommunications and Information Agency (NTIA) is trying to fill that gap via its “Software Bill of Materials,” or “SBOMs,” initiative bringing together government and industry stakeholders, including DoD and the Intelligence Community.

The goal of the SBOMs effort is to allow system developers, software buyers for agencies and firms, and consumers to have transparency into their software supply chain, in order to rapidly find out if they are at risk when a new software vulnerability is discovered, explains Alan Friedman, NTIA director of cybersecurity.

“Transparency is a pretty common idea,” Friedman said. “That should be the easy part,” he added, “understanding whether or not anyone’s at risk actually should be straightforward.”

NTIA, which falls under the Commerce Department, is not trying to develop unified standards for industry to follow, nor are they aiming at eventual regulations, Friedman stressed. Instead, the idea is to create a voluntary methodology for sharing vital information about software supply chains.

Doing so is not easy today, he said. He gave the example of the widely-used real-time operating system (RTOS) called VxWorks, made by Wind River Systems, that allows vast numbers of devices — from fridges to printers — around the world to communicate with each other.

Last July, a group of researchers discovered that VxWorks had 11 major vulnerabilities that could allow an attacker to take over the devices using it.

“The challenge for the experts [trying to patch the holes in VxWorks] is that not everyone knows that they have it,” Friedman explained. “We don’t have that level of visibility.”

Even more importantly, he said, the problems found in VxWorks “weren’t unique” to that operating system. The baseline issue was “part of some software that was buried deep in a whole bunch of real-time operating systems, including, according to some reports, the RTOS’s being used by F-22 and the A380 (Airbus’ giant commercial jetliner).” (D.N.).

So, NTIA’s SBOMs would include not only the names of software suppliers, but also critical technical parameters such as coding, he said. This is trickier than it sounds, both for technical and policy reasons. On the technical side, he noted, different industries use different software security standards and reporting mechanisms. On the policy side, there are issues both with corporate secrets and national security concerns that work against information sharing — even when it is proven to create long-term benefits.

Friedman said that NTIA had a “productive” initial meeting just prior to the onslaught of the COVID-19 pandemic with counterparts at the office of Pentagon CIO Dana Deasy, and is now re-engaging with that office. “Our next steps have been to sort of say: “Well, what does a more targeted collaboration look like?” he said. “That’s something that we’re going to be pursuing moving forward.”

“We want to make clear this is something that is independent of their efforts,” he stressed. “But on the other hand, we think it dovetails quite nicely.”

For example, he noted, “a number of the larger players” from the private sector working with NTIA on supply chain security issues also “have a large DoD stake.”

As Breaking D readers are aware, the Pentagon has a number of software and microelectronics supply chain security initiatives underway — including the new Cybersecurity Maturity Model Certification process launched by DoD Acquisition czar Ellen Lord in January; and DARPA’s new four-year project on microchip security.

Finally, he added, NTIA also is engaging with the Intelligence Community, including the Office of the Director of National Intelligence and the National Security Agency: “We’re talking with our colleagues at the Fort, and in DNI, as well,” he said.


Please enter your comment!
Please enter your name here