US cyber boss wants software patches to be like car recalls • The Register
Asian black hat Software made dangerous by dependencies should be patched without users having to interact with the source of the problem, according to Chris Inglis, U.S. national cyber director, who serves in the president’s executive office.
Talk to The register Speaking at the Black Hat Asia conference in Singapore on Friday, Inglis said that when a faulty component in a car needs to be replaced, the manufacturer that chose that component takes responsibility for securing the safe parts and arranging for their installation. He compared this arrangement with the Log4j bug fix, which required users to seek help from both vendors that used open-source logging code and source software from the Log4j project itself.
Inglis wants vendors to take responsibility for their choices so that resolving security issues is easier and users’ — and America’s — systems can achieve greater resilience with less effort.
The director said such a change is the kind of thing he sees as a necessary regulatory requirement in the digital age, because to date some sources of trouble have escaped responsibility or costs for their mistakes.
The Biden administration has already shown its intention to increase technology regulation with initiatives such as the Executive Decree aimed at modernizing national defenses in the wake of attacks on SolarWinds, Microsoft Exchange and the incident that shut down the Colonial Pipeline. Another possible action has seen the SEC offer shorter mandatory reporting windows for public companies affected by infosec incidents, along with periodic market updates on security efforts.
Inglis said The register more regulation is coming, and while he wants watchdogs to have the “lightest touch possible”, he also hopes to impose a “capital cost” on companies to ensure they invest in improving their capabilities .
The director could offer no timeline for the delivery of the new regulations, saying the administration takes into account the needs of many industries.
One activity he wants to see more of is collaboration between government and the private sector, and more collaboration between agencies.
Inglis believes these efforts are critical because no one entity knows or understands everything it needs to improve the security of its information. The director described collaborations in which entities each bring their own view of a situation to the table, and each gains the fuller view needed to solve problems only after sharing information.
“We often overestimate what a government knows, or underestimate what the private sector knows,” he told the conference.
Rather, he hopes that organizations can share “a degree of professional intimacy such that we can discover things together that neither of us can do alone…so that we discover something that no one else could have discovered alone”. .
National security agencies in the UK and Israel are doing it well, he said. And U.S. efforts are improving through the work of the Joint Cyber Defense Collaborative led by the Cybersecurity and Infrastructure Security Agency.
“The concept is starting to work,” he said. ®