Continuing the review of U.S. Congressional Hearings, here are a few details and excerpts from the hearing “Complex Cybersecurity Vulnerabilities: Lessons Learned from Spectre and Meltdown”.
The July 11, 2018 hearing was held by the U.S. Senate Committee on Commerce, Science, and Transportation and was convened by its Chairman U.S. Sen. John Thune (R-S.D.).
Witnesses:
- Ms. Donna Dodson, Chief Cybersecurity Advisor and Director of the National Cybersecurity Center of Excellence, National Institute of Standards and Technology, U.S. Department of Commerce
- Dr. José-Marie Griffiths, President, Dakota State University
- Ms. Joyce Kim, Chief Marketing Officer, ARM
- Mr. Art Manion, Senior Vulnerability Analyst, CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University
- Mr. Sri Sridharan, Managing Director, Florida Center for Cybersecurity, University of South Florida
Here are a few small excerpts:
U.S. Senator John Thune, Chairman of the Committee on Commerce, Science, and Transportation (Statement)
These processes raise questions about how a coordinated vulnerability disclosure process should be carried out to ensure that companies have enough time to test and implement patches. It’s not enough just to develop patches; they also need to be tested and applied so that consumers don’t have a false sense of security about whether solutions are really in place.
The other thing we confirmed is that some Chinese manufacturers, including Huawei (“Wah-Way”), were informed of the vulnerability prior to public disclosure. Given their close ties to the Chinese government, Huawei’s involvement in the coordinated vulnerability disclosure—while perhaps necessary—raises additional questions about supply chain cybersecurity.
Finally, only one company – IBM – reported that it contacted the U.S. government prior to the January 3, 2018, public disclosure. And no vendor engaged CERT-CC (“CERT-C-C”) to assist in coordinating the vulnerability disclosure or response. Even the largest affected chip manufacturer, Intel, did not provide advance notice.
Witnesses:
Ms. Donna Dodson, Chief Cybersecurity Advisor and Director of the National Cybersecurity Center of Excellence, National Institute of Standards and Technology, U.S. Department of Commerce (Testimony)
The National Vulnerability Database
[…] NIST maintains the repository of publicly reported information technology vulnerabilities, called the National Vulnerability Database (NVD). The NVD is an authoritative source for standardized information on security vulnerabilities that NIST updates regularly.
The NVD tracks vulnerabilities over time and allows users to assess changes in vulnerability discovery rates within specific products or specific types of vulnerabilities. [...] Health care and Internet of Things devices are specific areas of focus for this expansion, as identification of vulnerabilities in these types of devices is a growing concern for the security community. While disclosed vulnerabilities assigned with an identifier are posted immediately, NIST also takes additional steps to analyze and provide a severity metric to assist practitioners in responding to each vulnerability. Both the number of vulnerabilities in the NVD and use of the NVD continues to grow. For example, since January 2017, each month we have seen an average of 10% growth in the amount of data downloaded. NIST is working aggressively to ensure the NVD can continue to provide this important information in a timely fashion. [...]
Cybersecurity Event Recovery
The number of vulnerabilities being discovered also reminds us of the importance of effective planning to an organization’s preparedness for cyber event recovery. As part of an organization’s ongoing information security program, recovery planning enables participants to understand system dependencies; critical roles such as crisis management and incident management; arrangements for alternate communication channels, services and facilities; and many other elements of business continuity.
Dr. José-Marie Griffiths, President, Dakota State University (Testimony)
DSU has multiple Academic Center of Excellence designations in education, research, and regional resource development from the U.S. National Security Agency and Department of Homeland Security. […] Small in size, DSU has become a big player in cyber workforce development and research and development. DSU has developed the Madison Cyber Labs — MadLabs — a cyber research hub of research clusters that leverages the “mad skills” of our faculty, staff and students in collaborations with government and corporate partners, from local and area partners all the way through federal agencies. […] Ten clusters across multiple disciplines – and more planned - combine disciplinary and cyber experts for targeted innovation. Present MadLabs labs and institutes include:
[abbreivated lab descriptions]
• Cyclops Lab (Cyber Classified Operations)
• PATRIOT Lab (Protection and Threat Research for the Internet of Things)
• FinTECH Lab (Financial Technology)
• DigForCE Lab (Digital Forensics for Cyber Enforcement)
• Campus IT Living Lab (DSU’s IT infrastructure protection and related research)
• CAHIT (Center for the Advancement of Health Information Technology)
• AdaptT Lab (Research in Adaptive Technologies)
• C-BAR Lab (Center for Business Analytics Research)
• Cyber Education and Teaching Technologies Lab
• CybHER Security Institute (Women in Cyber Security)
• CLASSICS Institute (Collaborations for Liberty And Security Strategies for Integrity in a Cyber-enabled Society)
Across U.S. universities we have the potential to develop a nationwide distributed force that could be mobilized to address initial vulnerabilities and test solutions through multiple disciplines. We must increase cultivation of a cyber workforce. The shortage of skilled cyber professionals is seriously impacting the ability of organizations – and federal and state government – to protect our cyber resources.
Ms. Joyce Kim, Chief Marketing Officer, ARM (Testimony)
Arm has engaged the United States Government
As Arm previously stated to the Committee in our written response to Chairman Thune and Ranking Member Nelson on March 1, 2018, we did not communicate with the US Government prior to the initial Spectre and Meltdown variants being disclosed by Google Project Zero in January 2018. After considering emerging practices across industry, and after discussions with this Committee and your colleagues in the House of Representatives, Arm recognized and has pursued several process refinements to improve its handling of vulnerabilities. Among those, we have recognized the importance of working with government stakeholders that may be able to share information and help minimize the impact on end users. As such, Arm did notify the US government and brought our chief architect to DC from Arm’s headquarters in Cambridge, United Kingdom to brief government stakeholders at the Department of Homeland Security (DHS) on Variant 4 in advance of the public disclosure of that vulnerability. We have remained in contact with DHS and plan further engagements to share information and best practices. We look forward to a productive and mutually beneficial relationship that can contribute to security in the mobile ecosystem.
Mr. Art Manion, Senior Vulnerability Analyst, CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University (Testimony)
CVD should follow the supply chain
At its most effective, CVD follows the supply chain affected by the vulnerability. Many products today are not developed by a single vendor. Instead, they are assembled from components sourced from other vendors. For example, software libraries are often licensed for inclusion into other products. When a vulnerability is discovered in a library component, it is very likely that not only does the originating vendor of the library component need to take action, but all the downstream vendors whose products use it need to take action as well. Complex supply chains can increase confusion regarding who is responsible for coordinating, communicating, and ultimately fixing vulnerabilities, leading to delays and systems exposed to unnecessary risk. Because of the underlying nature of the vulnerabilities, Meltdown and Spectre exacerbated these concerns. […]
Rushed solutions can increase risk
[…] Systems that require high availability and reliability, such as industrial control and other safety critical systems, should not install updates or make other changes without significant testing. Surprise leads to misplaced effort and opportunity cost. As with most situations in which multiple parties are engaged in a potentially stressful and contentious negotiation, surprise in CVD tends to increase the risk of a negative outcome. For technically complex vulnerabilities like Meltdown and Spectre, there is a need for stakeholders to understand the problem before it is possible to make good decisions about the appropriate response. Because so many vendors, deployers, and other stakeholders were caught off guard with the public disclosure of the Meltdown and Spectre vulnerabilities, much attention was diverted from potentially more pressing and immediate cybersecurity issues.
Mr. Sri Sridharan, Managing Director, Florida Center for Cybersecurity, University of South Florida (Testimony)
A foreign threat actor could have quietly exploited one or more of these vulnerabilities without our knowledge, and they could have been doing so for twenty years. And, although the vulnerabilities are now known, we are still not safe because, statistically, at least 25 percent of users do not apply the patches needed to mitigate these vulnerabilities. […]
My point is that Meltdown and Spectre, WannaCry and NotPetya, are symptoms of a much larger problem: cybersecurity is a race with no finish line. The question is not ‘if’ vulnerabilities exist. They do. They are out there, and as fast as we discover and patch them, new ones are introduced. It is simply the nature of rapidly advancing technology. The real question is: who will find it first? We are living in the Information Age. Our information, our currency, our medicine, our economy and our secrets are digitized, and so is our conflict. […]
We must act now to ensure that our cybersecurity forces—military, public and private— are prepared to win these battles. How do we do that? How can we make sure that it is our researchers who discover vulnerabilities rather than foreign threat actors? How can we ensure that the United States remains the world’s leading cyber power? The answer is people.
I’m sure everyone here is aware of the well-publicized difficulties the Department of Homeland Security has been facing in hiring skilled cybersecurity workers. […] We need to work harder and faster. We need more programs, more camps, more competitions that educate kids and inspire them to pursue cybersecurity careers. […] If you build it, they will come. But people need to know these opportunities exist, which brings me to my final topic: communication. […]
These two moments reveal a critical issue: the lack of a clear, rapid report-and-respond mechanism for national cybersecurity threats. Currently, multiple agencies and organizations bear responsibility for national cybersecurity defense: DHS, NSA, the military, the FBI. To which of these organizations should the researchers have reported their discovery? Do they have duty to report? When a vulnerability is reported, what is the mechanism to alert critical areas of our government? In the case of Spectre and Meltdow, industry responded quickly with patches and solutions, but only after they were made aware of the problem. We can get a better handle on cyber hacks and breaches if we are more proactive than reactive.
No comments:
Post a Comment