Security news that informs and inspires

Requiring a VDP for Suppliers Won’t Fix Supply Chain Security

The SolarWinds compromise and the ever-expanding list of after effects has created a swirl of activity not just in the security and technology industries, but also on Capitol Hill, where there has been a long series of hearings on the intrusion as legislators search for answers about its causes and what can be done to prevent a similar supply chain attack in the future. One of the ideas that has surfaced from all of those discussions is the possibility of extending the directive for all federal agencies to develop a vulnerability disclosure policy (VDP) to third-party suppliers in the private sector.

In September, the Cybersecurity and Infrastructure Security Agency (CISA) issued a binding operation directive that required all federal civilian agencies to develop and publish a VDP. The directive required agencies not just to establish a public method for researchers to contact them with a bug report, such as a security@ address, but also to list which systems are in scope, the kind of testing of those systems that’s allowed, and a commitment not to pursue legal action against people who engage in good faith research that falls within the guidelines of the policy. Those policies were due at the beginning of March, with the goal of the directive being to enable agencies “to remediate vulnerabilities before they can be exploited by an adversary.”

But those policies are confined to systems owned and operated by federal agencies, and each agency is only required to have a minimum of one system covered by its policy. The Department of Agriculture, for example, lists five of its websites as being in scope of the VDP. One of the issues with this approach is that federal agencies, like any other large organization, use software and hardware from a wide variety of suppliers and are reliant upon those companies to ensure the security and reliability of their products. The SolarWinds compromise laid bare a problem that many people in the security industry have warned about for years: a well-placed malicious update or backdoor in a popular piece of software could have devastating downstream effects.

During a hearing of the Senate Committee on Homeland Security and Governmental Affairs Thursday on the ramifications of the SolarWinds intrusion, a senator raised the idea of having the requirement for a VDP apply to any company that supplies software to federal agencies.

“Are you considering extending the directive to cover third-party vendors, especially those that provide IT products or services to the federal government?” asked Sen. Jacky Rosen (D-Nev.).

"There’s absolutely nothing about a VDP that would’ve informed SolarWinds about this compromise."

Brandon Wales, the acting director of CISA, said that the agency had not considered that possibility, and added that there were other methods for handling the issue, such as language in procurement contracts.

“It’s not clear that we would necessarily need to do that through a directive. It’s an interesting idea,” Wales said.

VDPs are not a new concept, but they are relatively new to the federal government, and many large technology vendors don’t have their own published policies. There is an existing pilot program for government suppliers in the defense industrial base to develop VDPs, and a bill passed last fall focused on IoT security has provisions that require vendors who sell devices to the federal government to develop capabilities to find and fix vulnerabilities in their devices. Requiring a supplier to have a VDP could be a useful method for addressing some security concerns, but a supply chain attack like the SolarWinds incident is not at the top of that list.

“All of those things are moving toward a better future but we’re still at the very early stages of governments understanding how VDPs work and how to run them effectively,” said Katie Moussouris, CEO and founder of Luta Security, which helps organizations develop sustainable VDPs.

“I’d be happier if more of these organizations invested money and resources earlier in the software development lifecycle. We’d get more bang for our buck. There’s absolutely nothing about a VDP that would’ve informed SolarWinds about this compromise. That would absolutely have been out of scope for any VDP. There’s a big misunderstanding on the return on investment from VDPs relative to other security measures. It would have done nothing to help any of the other software companies downstream.”

What may have helped federal agencies detect the activities of the SolarWinds attackers in their environments, CISA’s Wales said, is shifting some of the defensive focus in the government from network detection to endpoint detection.

“You can only secure what you can see. Our adversaries have advanced. They’re no longer using the same infrastructure to target us repeatedly. This is all designed to ensure we don’t know where they’re coming from and our traditional systems are unable to stop them. We need to deploy different types of systems to ensure we have the right types of insight,” Wales said.

“There needs to be the right balance. Those perimeter security sensors are valuable, but that balance was too far out of whack in the past, too focused on the network and not the endpoint.”