Principles and Approaches for Secure-By-Design Software

Page 1

REQUEST FOR INFORMATION

SHIFTING THE BALANCE OF CYBERSECURITY RISK:

PRINCIPLES AND APPROACHES FOR SECURE BY DESIGN SOFTWARE

The Florida Center for Cybersecurity (Cyber Florida)

The Florida Center for Cybersecurity (also known as Cyber Florida) was established within the University of South Florida in 2014 under Florida statute 1004.444. The goals of the center are to: position Florida as a national leader in cybersecurity and its related workforce through education, research, and commu-nity engagement; assist in the creation of jobs in the state’s cybersecurity industry and enhance the ex-isting cybersecurity workforce; act as a cooperative facilitator for state business and higher education communities to share cybersecurity knowledge, resources, and training; seek out partnerships with ma-jor military installations to assist, when possible, in homeland cybersecurity defense initiatives; attract cybersecurity companies to the state with an emphasis on defense, finance, health care, transportation, and utility sectors.

Comment

Cybersecurity is amongst the nation’s most pressing challenges today, and it has been so for decades. Despite significant R&D investments and time, attacks continue to plague the US in cyberspace, and its impacts are felt across every walk of life, including in the government, military, industry, our centers of learning, critical infrastructure, and the general public (including our children). Given this current state, the vision of creating emerging software that at its very core is “Secure by Design” is – while admittedly a little late – still the correct approach to take.

CISA broadly defines “secure by design” software as that “where the security of the customers is a core business goal, not a technical feature”. The security of such software is expected to play an integral role during design itself, even before any development begins. This is a very reasonable definition and captures the intended purpose effectively. What is most surprising though is that it has taken so long to realize this vision, and only now the need to integrate security during design has gained traction across the US government. It is indeed true that since the 1960s, when the industry started taking shape and permeated the lives of increasingly more Americans, the needs of businesses alone was emphasized and very little to no attention was paid on security vulnerabilities, and especially to the security of the end users of software.

However, this is not an isolated phenomenon in the technology world, nor is it restricted to the software industry. Two of the most ubiquitous technologies that drive our lives today are also impacted because of a lack of “secure by design” features in their early development. The first is the internet. As we know, the internet took shape in the 1960s thanks to pioneering advances by US DoD via its ARPANET program which built a network of interconnected computers that could communicate with one another. The progress achieved here, coupled with advances made in the world wide web, led to the creation of the internet as we know it today. However, if one looks at the history carefully, “security” of the internet against attacks was hardly emphasized during the development of the internet. Most of the early focus was simply on getting computers to talk to each other optimally, which meant a significant percentage of the investments then were made on routing, congestion control, bandwidth optimization, error correction and more – nothing on security. This aspect was covered in a 2015 article by The Washington Post that elaborated on how the founders of the internet saw its promise, but never comprehended the possibility of malicious users. The article quotes David Clarke – one of the pioneers of the modern internet as saying – “It’s not that we didn’t think about security” and “We knew that there were untrustworthy people out there, and we thought we could exclude them.”. The same article also alludes to another statement by Vinton Cerf, another internet pioneer as saying, “We didn’t focus on how you could wreck this system intentionally” and “You could argue with hindsight that we should have, but getting this thing to work at all was non-trivial.”1 By the time the early attacks against the internet started to take shape (e.g., The 1998 Morris Worm), the foundational standards, protocols, equipment, and software were too hardened and ubiquitously adopted globally to the point where a re-design based on security considerations became impractical, leading to where we are today with a highly insecure internet.

A similar trend was also prevalent in the mid-2000s with the creation of social media platforms like Facebook, Twitter, and Orkut, where again, the primary goal was rapid connectivity of humans with little to no concern for the impacts to the security of the people, network or data. The massive rise in popularity of these systems again meant that re-design for security was impractical, and as a result, cyber-abuse, misinformation, disinformation, mental health deterioration, and cyber addiction are all causing significant and ever-increasing impact to all of society, especially against its most vulnerable people – children. Despite massive scale investments to combat these threats, there has been no practical progress made yet.

1https://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1/

At this critical juncture, we commend CISA for leading the important initiative on “secure by design” software. Upon careful reading, we believe that the three principles identified - take ownership of customer security outcomes; embrace radical transparency and accountability; and build organizational structure and leadership to achieve these goals, are comprehensive. The specifics identified in each of these principles are firmly rooted in practical approaches to creating software that is secure in the design itself. In other words, security is not an afterthought but is default. We especially commend CISA on its outreach to small and medium-sized businesses that are at the heart of the US economy and are most prone to cyber-attacks.

In terms of broad recommendations, we recommend that CISA create easily accessible and publicly available repositories for best design practices, cost to scale, vulnerabilities that are most impactful to address and use case experiences of peer organizations. Considering our close associations with universities across the state of Florida and nationally, we recommend funded programs that specifically focus on secure-by-design software that looks at all its ramifications – vulnerabilities, threats, attack vectors, the economics of secure by design, agile development, ethics, and much more. Universities and related R&D will become central to such efforts, considering the immense intellectual capacities available therein.

From the perspective of Education (Topic 2 under Additional Topics for Commenters), Cyber Florida would like to share some recent developments in the space of cybersecurity education in the state of Florida that resonates with the vision of CISA for software that is secure by design. At multiple universities that are part of the state university system in Florida, there are now programs that offer BS in Cybersecurity, specifically catering to the never-ending demands for cybersecurity professionals in the state of Florida and the nation at large. For instance, at the University of South Florida in Tampa, the BS in Cybersecurity program has 700+ students currently enrolled. We recommend that CISA actively engage with this pipeline of cybersecurity undergraduate students in the vision of secure-by-design software. Some potential avenues can be the creation of robust tabletop exercises, designated cyber ranges for students, sandboxed virtual environments for cybersecurity training, and capture-the-flag games, all of which can be made public and accessible to students and faculty.

We want to allude to a related, and critical development in the space of undergraduate education in cybersecurity and computing in general. Readers may be aware of an organization called ABET (https://www.abet.org/). It is a highly respected organization that accredits programs after a rigorous review of many aspects, most importantly the curriculum of study. In fact, many employers in the US and beyond greatly value graduates coming out of ABET-accredited programs. Undergraduate computing programs across universities have been accredited by ABET since 1985, and in the last few years, ABET has understood the criticality of undergraduate programs offering BS in Cybersecurity degrees, and there is now an established and rigorous set of criteria for accrediting the same. Criteria for accrediting a BS in Cybersecurity degree, among many things, include detailed coverage of Data Security, Software Security, Component Security, Connection Security, System Security, Human Security, Organizational Security, and Societal Security. Interestingly, the updated ABET guidelines for accrediting any Computing program now state that the curriculum must cover “Principles and practices of security and privacy in computing.” In other words, every undergraduate degree in the field of Computing must incorporate security and privacy topics

for ABET accreditation. We believe that this is an encouraging development for realizing CISA’s vision of emerging software incorporating security by design, from an educational perspective. We recommend that CISA engage with technical societies like the Association for Computing Machinery (ACM) and the Institute of Electrical and Electronics Engineers (IEEE) that work closely to shape next-generation computing curriculums across the globe. With CISA’s engagement across these societies, the outcome will be a large set of college students graduating with computing degrees, all of whom are armed with skills needed for security and privacy, and an early investment in security by design across the student body will play a critical role in its practical vision towards protecting cybersecurity, and its related software and customers tomorrow.

Contributing Authors

Dr. Sriram Chellappan

Academic Director of Cybersecurity Research,

Cyber Florida: The Florida Center for Cybersecurity Professor, Computer Science and Engineering, University of South Florida

Contact Information

Ernie Ferraresso eferraresso@cyberflorida.org 813 974 1869 Director

Cyber Florida: The Florida Center for Cybersecurity

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.