Trust Through Transparency
A look at the rising calls for a transparent digital society - and the accountability it brings
In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.
While I don’t know who actually authored this line from the opening section of Cybersecurity Executive Order 14028, it has stuck with me, and apparently the rest of the industry, since we’ve read it.
The reality is that we do indeed live in a society tied to our underlying digital infrastructure.
From our most benign personal activities to our most critical infrastructure and national security systems, software is now the engine that powers modern civilization. In fact, the World Economic Forum (WEF) projected that at the end of 2022 60% of global gross domestic product (GDP) was tied to digital platforms and systems.
There are many trends underway in our increasingly digitally-driven society, but one undeniable overarching trend is the increased call for transparency.
From software supply chain security, zero trust, privacy and the boardroom, shifts toward transparency are pervasive.
Let’s take a look at each of the above areas and see how Transparency is front and center in the conversation.
Software & Supply Chain Security
One of the most obvious places we see the increased call for transparency is in the area of software supply chain security. For far too long there’s existed an information asymmetry between software suppliers and consumers. Consumers typically have utilized third-party software with little to no transparency into what software components actually make up said software, whether hosted in their own environment or consumed as-a-Service.
This trend is changing quickly, with notable examples including Section 4 of the Cyber EO calling for activities from various entities such as NIST, CISA, OMB and others. We’ve now seen NIST publish their updated Security Software Development Framework (SSDF) and importantly, a feverish industry dialogue around Software Bill of Materials (SBOM)’s to provide transparency into the components that are involved in software and and applications.
Based on recent guidance from the Office of Management and Budget (OMB), U.S. Federal agencies are now marching towards requirements to potentially begin collecting SBOM’s from third-party software suppliers. This would give agencies direct insight into the software components third-party software suppliers use in their products and services, along with the associated vulnerabilities and potential risk that is being passed downstream as well.
I would be remiss if I didn’t mention that the OMB memo currently excluded internally developed agency software, which I personally think is short-sighted given we have seen several agencies experience security incidents for their own internal systems as well. Having visibility into internally developed agency applications and their associated OSS components would better position agencies to implement OSS governance and incident response against the backdrop of software supply chain attacks that have increased over 700% in the last 3 years.
We’ve also seen language in the recently passed 2023 appropriations bill which requires medical device manufacturers to provide SBOM’s as well.
This trend isn’t limited to just the public sector either, with industry best-practice and guidance from industry leaders such as NIST, NSA, CNCF, CSA, OpenSSF and others all citing the value of software component visibility. And this makes sense, given asset inventory has been a critical control in cybersecurity from the CIS Critical Controls and the SANS Critical Controls prior to that - and OSS components are baked into your software assets.
As the saying has long went, you can’t protect what you don’t know you have, and what organizations have is a environment overwhelmingly rich with third-party OSS components, with some surveys citing figures as high as 75% of modern applications being composed of OSS and up to 93% of applications including OSS components to some extent. Most organizations have little understanding or inventory of their extensive OSS usage.
Calls for increased transparency will expand beyond OSS usage as well, given in just the last several months, major service and tooling providers such as CircleCI, LastPass, Okta and Slack have all been targeted by attackers and experienced security incidents potentially impacting customers.
Consumers want transparency and assurance that their providers and suppliers are using secure development practices and have mature security programs in place. This goes beyond our traditional practices of throwing several hundreds of subjective questionnaires at software suppliers and instead wanting visibility into the end product and any residual risks associated with it.
Another notable example of increased transparency is the Defense Industrial Base (DIB) which has been experiencing an agonizingly drawn out push away from self-attestations with control frameworks such as NIST 800-171 and a move towards 3rd party assessments using 3PAO’s and ushering in new frameworks such as the Cybersecurity Maturity Model Certification (CMMC), after several notable security incidents impacting DoD vendors, and also the revelation that most self-attested scores were inflated.
Organizations increasingly want transparency of not just their own software supply chain but that of their suppliers, what components are used in the digital products they consume and also the security practices and processes for their suppliers.
Zero Trust
If trust is built on transparency, then we need transparency throughout our entire architectures and environments. As Zero Trust embodies, no implicit trust.
This means the age old approach of the perimeter security model is dead and organizations are pushing heavily towards Zero Trust architectures.
Transparency shows up in various aspects of Zero Trust, such as seeking transparency on every session and digital transaction, not just an initial authentication and then a golden ticket to roam freely throughout an organizations digital infrastructure.
Not only do we want to authenticate every session and transaction but we want further transparency about the identities of the entities involved in those sessions such as who they are, where they’re coming from and the security hygiene of the device they’re using. This next level of transparency to the environment, endpoints, identities and activities allows organizations to make contextual-based dynamic access control decisions to improve their security posture.
All of these items require transparency to understand the user, permissions, behavior, and endpoint involved in accessing data.
Privacy
Privacy seen an increased consumer and citizen demand for transparency into what data is being collected on them and how it is used as well as ensuring it is properly safeguarded.
The most notable example of course is the European Union’s General Data Protection Regulation (GDPR), which many consider the most rigorous privacy and security law in place currently. Despite being passed in the EU, it is applicable to any organization that targets or collects data for individuals in the EU.
Not only does it take a firm stance on data privacy but it also is positioned to enforce harsh fines against organizations that violate these privacy standards, and already has done so, 2021 seeing 2.92 billion Euros in fines. For those interested in GDPR, you can learn more here.
The U.S. is slowly following suit, with some states, such as California issuing their own privacy regulations, in the California Consumer Privacy Act (CCPA).
The act grants several privacy rights to California consumers such as the right to know the personal information being collected about them and how it is used, the right to delete, opt-out and the right to non-discrimination for exercising their CCPA rights. For those interested in CCPA, you can learn more here.
Many in the U.S. have now increased calls for a nationwide privacy approach to unify the current patchwork of state privacy regulations that lead to confusion and an incoherent national approach to U.S. consumer privacy.
Consumers want transparency around how their personal data is being collected, used and shared.
Companies & the Boardroom
On the corporate front, we’re seeing a regulatory call for increased transparency of reporting cyber incidents impacting publicly traded companies as well as transparency into companies security governance, its exercising of oversight of cyber risks and details associated with who on their respective boards or subcommittee’s is responsible for cyber and actually has the relevant expertise to do so effectively.
These proposed rule changes can be seen here “Proposed Rule: Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure”. Some speculate this proposed rule could be voted on as early as April 2023.
Among the requirements include providing regulators details about the boards role in cybersecurity risk oversight, as well as providing details about what members of their board directors, if any, have relevant cyber backgrounds and provide the details associated with them. This would include items like prior roles, academic and professional certification credentials and more. The regulators also seek transparency around if the board is responsible for cyber risk and the frequency they get informed on cyber risks as party of their regular board activities and discussions.
There is also language about bringing previous cybersecurity incidents out of the dark and into the light. One such example includes a line in the proposed rule that says “We also propose to amend these forms to require disclosure, to the extent known to management, when a series of previously undisclosed individually immaterial cybersecurity incidents become material in aggregate.”
Much like chaining low level vulnerabilities together for a more severe impact or pooling previously individually unclassified sets of data raise their classification, a series of security incidents present a system risk in aggregate and likely points to further institutional deficiencies at an organization.
Public regulators are calling for increased transparency into how organizations govern cyber risk, who is responsible for doing so and what their qualifications are. They also want more transparency for the public with regards to material security incidents.
Moving Forward
As highlighted in the recently released Global Cybersecurity Outlook 2023 report, nearly 100% of cyber leaders believe a global cyber attack is imminent in the next 24 months.
Given this widely held perception and societies dependency on software and digital infrastructure for everything from personal convenience, business, civic services and national security - we need transparency into the digital ecosystem we now find ourselves existing in otherwise it will be incredible hard to trust it.
As the saying goes, “Sunlight is said to be the best of disinfectants”.
Society is pushing for transparency of the digital ecosystem that now surrounds every aspect of our lives and the systemic risk associated with it.