The morning of June 9th, I was driving over the Golden Gate Bridge into San Francisco with my family. While crossing the bridge my children shared some facts about this modern engineering marvel. Each day, approx. 100,000 vehicles travel over the bridge deck, which weighs a staggering 150,000 tons, and is suspended by 250 pairs of steel ropes.

We noted that a single steel rope could not withstand such an enormous weight. But when hundreds work together in unison, their combined strengths are sufficient to support the monumental load of the bridge and its occupants, with capacity to absorb fluctuations in traffic volumes and high stress events like windstorms and earthquakes.

Like the steel ropes of the Golden Gate Bridge, we in the cybersecurity community cannot carry the load alone, but together “with all hands-on deck”, we can address even the largest challenges.

That afternoon at the RSA Conference 2022, I had the pleasure of moderating a panel with Microsoft’s Aanchal Gupta (@nchlgpt), Intel’s Tom Garrison (@tommgarrison) and the NSA’s (@NSAGov) Dr. Diane Janosek (@dm_janosek) where we discussed how to overcome a culture of secrecy to create transparent and trusted cross-organization collaboration, and the challenge of encouraging responsible disclosure without the fear of backlash.

In this blog I will summarize the topics discussed by each of the panelists, starting with the threats that are driving the need for greater collaboration.

At the beginning of the discussion, Aanchal highlighted that Software Supply Chain attacks are both one of the industry’s biggest risks and therefore priorities to address saying “even though this is not a new risk, our reliance on third party and open-source software is exponentially increasing, and it is only a matter of time before we see more supply chain issues. Log4j and Nobelium are just the tip of the iceberg.”

Aanchal then explained that there are two primary reasons why supply chain attacks will continue to rise. “First, as our dependence on third party software is growing, it is becoming more attractive for threat actors to find the soft spots. Attackers could easily convince an insider, or they could find an unpatched vulnerability, to inject their malicious payload into the supply chain. What makes it extremely difficult is that certain software is ubiquitous, “like salt in your pantry”. Salt is in almost every snack item in your pantry, and you can imagine if that is contaminated, how difficult it will be to address the issue. Log4j became a challenging issue because of its pervasive use.”

Tom further elaborated on how the supply chain is evolving into a platform with a “digital DNA” and the importance of System, Traceability and Transparency. “What we want to do is to peel back this sort of almost secrecy that’s existed around what components are used to build your device–whether it’s a PC or a server or an IOT device. These are the foundation of trust and empower customers to make intelligent decisions around their platforms. In order to maintain a healthy system, it is important to ask questions about Patching. How do I manage my system overtime? Am I smart about updates and applying them in a timely manner? Do I have a process around updating these machines on a regular basis? This is the very first step towards transparency and is a great healthy step.”

Diane then highlighted the strategic importance of also considering the threats associated with Adversarial AI. “While AI has phenomenal machine learning usages, helping make sense of the massive data sets – the entire inference depends upon the integrity of that data for the algorithms to actually work. “If the adversaries are altering that data, recognizing that we’re using certain models for critical security decisions and more, our models will be incorrect”. Understanding the world of human generated attacks vs. the AI based attack surface raises the level of sophistication and complexity that we must get ahead of.”

Next, Aanchal discussed how organizations can foster collaboration to raise the bar for security, starting with the concept of a Software Bill of Materials (SBOM). To get ahead of supply chain risks, it helps to think of your SBOM as a “recipe”.

  1. First, know what ingredients make up your recipe. Do you have a list of all the software in your organization? If not, you need to create one.
  2. Next, understand where your ingredients come from and what controls are in place to ensure their reliability as they are produced and delivered to you.
  3. And finally, trust but verify. Test your ingredients regularly to ensure their integrity.

To mitigate some of this risk, the US Government issued an Executive Order (EO) earlier this year. The EO is the start of the process of the US government identifying the problems and engaging with the private sector to define solutions. This is a multi-year effort that will profoundly change the requirements to sell software to the US government, one of the largest tech buyers on the planet. As we help shape the EO, we will raise the difficulty of attacking the US government, and overall software.

As the largest provider of enterprise software, we have a responsibility to provide leadership and help – with things like the SBOM – where you call out the dependencies that each piece of software has. We are actively participating in helping shape the underpinnings of the EO.

Tom then discussed the importance of collaborating with both external AND internal researchers. “To build a deep understanding of the products and HW/SW solutions stacks, this requires partnerships with ethical hackers, and security investments to drive deeper research to ensure that the learnings not only fix legacy and historical problems, but also ensure long-term safety as we shape future products and technologies.”

The panel then moved onto discussing the paradoxical need for transparency and responsible disclosure within a culture of secrecy. This was talked about with great energy and passion, not just by the panelists but also by members of the audience. There is always the tension of how we maintain confidentiality about the vulnerability until all the partners have a mitigation or fix, but also ensure that stakeholders are well informed. This is not just about doing the right thing morally, but it is also good for business to share the information in a timely manner. We are at an inflection point; where this clarity and realization is helping drive intentional collaboration on vulnerability disclosure to patching as a priority and we look forward to making measurable progress here.

The panel agreed that we should not penalize and ostracize people for sharing a breach of their system. We need to shift the culture from blame to community support. When we support organizations to be forthcoming with their experience, we will get better insights and it will also help identify supply chain issues early on. It is due to the fear of retaliation that people don’t share the details. Help them become better vendors and service providers by sharing their knowledge. Their breach is not just their breach anymore; we are all in this together.

Finally, the conversation shifted to working with law enforcement to ensure cyber criminals are held accountable. Diane gave this wonderful example: “Consider critical infrastructure sectors for the United States (e.g., energy sector, transportation sector etc.). 80% are run by the private sector, and 20% by the government. So even if I, as the government, get an A grade for my 20% (which is defense and telecommunications), it’s not good enough for the country if all other sectors fail. We need to establish the fine balance to be able to do the signals intelligence mission and the cyber security mission across government and private sector, to get holistic protection, while protecting the Constitution”. This is a crucial point for a whole-of-society approach; we must continue to partner with all sectors – private and government – to ensure we preserve privacy and security, holistically.

Thinking back to the Golden Gate bridge, the individual steel hangers do not support just the vehicles directly beneath them. Each hanger is critical in supporting the entire bridge and every vehicle travelling on it, no matter where on the bridge a vehicle happens to be. Similarly, for those of us in the cybersecurity industry and our respective customers and products, when we work together, we create a stronger and more resilient foundation for all.