It seems like yesterday when when Representative Ed Royce proposed legislation entitled the Cyber Supply Chain Management and Transparency Act. In actuality, it was November 2014. Almost three years have passed since congressman Royce first introduced his bill and helped educate the world about serious security vulnerabilities (like Apache Struts and Heartbleed) lurking inside of open source components which are commonly used by anyone and everyone building modern software applications.
Broadly speaking, Royce's bill would have required technology vendors selling software to the U.S. Government to do the following:
- Provide customers with a bill of materials documenting all open source components utilized in the software application;
- Demonstrate that the component versions utilized in the application have no known vulnerabilities (CVEs from NVD) for which less vulnerable alternatives are available;
- Provide a mechanism to promptly remediate new vulnerabilities when they are discovered.
Despite dying a quiet death, the Royce bill helped to pioneer an important conversation between government and industry leaders with respect to age old question of software liability.
This conversation continues to evolve -- and just today Senator Mark Warner a Democrat in Virginia, and Senator Cory Gardner, a Republican from Colorado introduced the Internet of Things Cybersecurity Improvement Act of 2017 -- an attempt to force companies selling IoT devices to federal agencies to adhere to new security standards.
Just like the Royce bill before it -- the newly proposed legislation from Senator Warner would require vendors selling IoT connected devices to government customers to do three simple things:
- Provide written certification that IoT devices do not contain hardware, software, or firmware components with any known security vulnerabilities or defects listed in the NVD or similar databases.
- Notify government customers of any new security vulnerabilities or defects subsequently discovered.
- Provide a mechanism that allows for any future security vulnerability or defect in any part of the software or firmware to be patched in order to fixed in a timely and secure manner.
As Bruce Schneier observed more than a decade ago: there are no real consequences for having bad security, or having low-quality software of any kind. Even worse, the market often rewards low quality. More precisely, it rewards additional features and timely release dates, even if they come at the expense of quality.
Although the Royce bill failed, and the future of the Warner bill is yet to be determined; there is an increasingly steady breeze blowing from Washington DC that is gently nudging the entire software industry toward a future in which vendors will no longer be immune to liability for damages due to known security vulnerabilities or defects.