WASHINGTON – The recent collaborative effort between the Cybersecurity and Infrastructure Security Agency (CISA), the Defense Advanced Research Projects Agency (DARPA), the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E), and the National Security Agency (NSA) resulted in the publication of “Closing the Software Understanding Gap.” This publication emphasizes the urgent need for the U.S. government to enhance its understanding of software-controlled systems on a deep and scalable level.
The report underlines the current lack of capability among mission owners and operators to fully comprehend software due to the rapid advancements made by technology manufacturers. The software industry has outpaced the ability of users to understand its complexities, thereby leaving vulnerabilities that can be exploited by malicious entities. This gap in software understanding is particularly concerning in light of recent state-sponsored attacks on critical infrastructure sectors in the US, including Communications, Energy, Transportation Systems, and Water and Wastewater Systems.
CISA Technical Director, Chris Butera, highlighted the imminent threats to national security posed by this software understanding gap. He stressed the critical importance of closing this gap to safeguard the nation’s critical infrastructure and urged both the U.S. government and software manufacturers to adopt Secure by Design principles.
The report also presents potential solutions to enhance the security of software, such as the application of mathematically rigorous formal methods. These techniques, once considered out of reach for mainstream practice, have become more accessible in recent years due to advancements by DARPA and other organizations. Implementing these tools in both legacy and future systems could significantly reduce cyber vulnerabilities in the United States.
Kathleen Fisher, Director of DARPA’s Information Innovation Office, echoed the sentiment that current tools can greatly diminish software vulnerabilities in infrastructure systems. Urgent action to implement these tools across various systems can bolster the nation’s cybersecurity posture in anticipation of future global conflicts.
Furthermore, the report provides recommendations for obtaining a comprehensive understanding of software-controlled systems, including those driven by artificial intelligence. By enhancing software understanding capabilities, the United States can gain a strategic advantage in geopolitical matters and fortify critical infrastructure against foreign threats.
The report emphasizes the necessity for broad government coordination to develop the required capabilities for addressing these cybersecurity challenges effectively. By fostering collaboration among various government agencies and stakeholders, the U.S. can enhance its readiness to combat emerging cyber threats.
For additional information on Secure by Design principles, interested parties can refer to the Secure by Design webpage on the CISA website. As the nation’s cyber defense agency and the leading coordinator for critical infrastructure security, CISA continues to spearhead efforts to manage risks and enhance cybersecurity across digital and physical infrastructure nationwide.