Established pursuant to the executive order, “Improving the Nation’s Cybersecurity,” the Cyber Safety Review Board (CSRB), which consists of public and private sector leaders, has the stated goal to review major cyber events and make concrete recommendations to drive improvements across both the public and private sectors. It might help to think of the CSRB as information technology’s (IT’s) equivalent of the National Transportation Safety Board.
The CSRB took aim at Log4j, a Java logging framework that has experience vulnerabilities over the last year, as its first cyber incident to investigate and report on, and in this article, we’ll discuss some of its main takeaways.
The Role of Software Bills of Materials
The report makes significant mention of the need for software transparency, inventory, and governance, with Software Bills of Materials (SBOMs) being a core component of those pursuits. The report also highlights that Log4j will remain a prevalent vulnerability for some time, but that its impact isn’t as profound as initially projected due to the tireless efforts of public sector agencies like the Cybersecurity and Infrastructure Security Agency (CISA) and others that quickly provided critical guidance for major service providers, cloud providers, and organizations. These providers and organizations themselves have worked relentlessly to remediate the vulnerabilities within their enterprise ecosystem.
The report calls for organizations to make use of SBOMs to improve accurate information technology asset and application inventory and also for organizations such as the Office of Management and Budget, Office of the National Cyber Director, and CISA to provide guidance for effectively using SBOMs as the ecosystem matures. The report mentions SBOMs 18 times, calling for both increased SBOM adoption and investment as well as increased software transparency for public and private sector organizations.
The CSRB report breaks its recommendations into four categories: addressing Log4j’s continued risks; driving existing best practices for security hygiene; building a better software ecosystem; and making investments in the future. The report acknowledges that organizations will be wrestling with Log4j vulnerabilities for years to come and should continue to report on and observe for Log4j exploitation.
The report also calls for organizations to invest in their capability to identify vulnerable systems; establish vulnerability response programs; and continue to develop accurate IT and application inventories. SBOMs are significant here, too, as they play an important part in the context of software components and Operational Support Systems (OSS) consumption. Organizations with the robust inventories of software components in their enterprise that SBOMs provide will be better positioned to respond to the next Log4j-type incident.
The report calls on OSS developers to participate in community-based security initiatives and invest in training developers in secure software development. This is also a key recommendation in the Open Source Security Software Mobilization Plan (OpenSSF). Additionally, it calls for improvements in SBOM tooling and adoption and investments in OSS maintenance support for critical services.
Lastly, the report calls for making investments in key areas such as baseline requirements for software transparency for federal government vendors; exploring a Cyber Safety Reporting System; and studying incentive structures to build secure software. All these recommendations align with those made by other leading organizations in both the public and private sector, such as National Institute of Standards and Technology (NIST), The Linux Foundation, OpenSSF, and many others.
Software supply chain attacks are only accelerating as malicious actors increasingly realize the appeal of this attack vector. Attacks can compromise a single target and have a cascading impact across the entire downstream consumer ecosystem. Thankfully, public and private sector organizations are producing tools, technologies, and guidance to tackle this escalating challenge. That said, it will take effort across the entire software producer and consumer ecosystem to bolster defenses against these devastating attacks.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: