After Solar Winds, it's time for a National Software Security Act
- By Michael Garland
- Dec 16, 2020
In the wake of the Solar Winds cybersecurity breach, the time has come for Congress to regulate security in the software industry. I'm not advocating for onerous regulations that would thwart innovation and potentially favor large well financed companies, but I am suggesting there are minimal best practices around security that should be mandated for software companies selling software products or services in America.
In case you've missed the news, Solar Winds, a Texas based network management software company, appears to have been hacked to allow a patch or series of patches for its Orion software product to carry rogue malware to be downloaded to its existing customers. Orion unfortunately sits on servers all over the world, including Fortune 500 companies and at least the State Department, National Institutes of Health, and the Department of Homeland Security. The rogue patch contains sophisticated malware that creates a backdoor that could allow for exfiltration of data on all the networks where Orion resides. The National Security Council issued a directive this week to coordinate a government response to the vulnerability.
Unfortunately, one typical government impulse in response to this kind of mishap is to layer in a series of government-only requirements that could make it harder for the government to get modern IT solutions. In the face of this crises, especially given the historic Chinese mega-hack of the Office of Personnel Management, the government needs to take a deep breath and not jump to a government specific solution that might effectively make the government an island of isolated servers, inadvertently disconnected from commercial innovation.
Instead, Congress should look broadly to regulating the software industry as a whole. By analogy think how the government regulates car safety standards. Will it take a hack that brings down the electric grid or cripples financial services, before we decide we'd be safer and healthier if software met minimal security standards? It is hard to believe there isn't a slate of best practices that could be mandated for all software providers that could have prevented a piece of rogue malware from getting into a Solar Winds patch.
In healthcare for instance, surgeons have several people check the identification of a patient before operating. Would it be onerous to require a series of independent checks on the integrity of software, including patches, before it's distributed? Wouldn't it be a best practice to set up an internal audit team to ensure there is nothing malicious in the code? These practices feel very controllable.
Now consider that the practices for producing software are all over the map. Many consider it more an art than science. In the current era of open source, freely available algorithms can be plugged into larger commercial products leaving uncertainty as to the final product's total provenance. None of this is bad on its face, but it's a bit like the wild-west. It seems the time is ripe for some common-sense security regulation of the industry.
The software industry deserves a ton of praise. It's a bountiful business responsible for a huge portion of America's gross domestic product. But, as industries go, it's young. There has always been an innovator's ethos in software, best captured by Facebook's often quoted "move fast, break things." It's in the software industry where the concept of a "minimal viable product" was first developed. The idea has always been to get the product out the door; to fix problems later. Software is indeed "eating the world" and now broken software puts too much of the world at risk to avoid taking some minimal consumer protection actions.
Congress should work with a panel of esteemed software developers to create the basic operational requirements to mandate the right level of software security regulation that is fair to all, not onerous, but still useful to ensuring less vulnerabilities. Trade off assessments would be required. This doesn't have to be a huge new chunk of complicated and expensive overhead on the industry. It's simply a recognition that software is now a vital component of the world's economy, and it needs to be secure. Regulation should be designed with ease of compliance in mind.
In the wake of the Enron debacle, Congress passed Sarbanes-Oxley which among other things, required the CEO's of companies to ensure that when they signed their annual financial statements, they promised they were accurate, under penalty of law. This is the kind of regulation that should be required of software developers – mandated basic best practices around security, followed by guarantees, with penalties for fraud. This should be done at a national level to protect all enterprises selling in the US, not just to the government. Additionally, by doing this at an industry level, the government can continue to buy lower cost commercial software rather than requiring more expensive custom-built products.
Would this fix everything? No. Airplanes still crash. But that reality doesn't keep Congress from regulating minimum airline safety standards. It's time to look at the software industry in a similar way.
Michael Garland is the founder of Garland, LLC, a consulting firm that advises clients on issues related to federal procurement law and the business of IT.