The Network Resilience Coalition recently issued recommendations aimed at improving network security infrastructure by addressing vulnerabilities created by outdated and improperly configured software and hardware. The NRC, established in July 2023 by the Center for Cybersecurity Policy and Law, includes members such as AT&T, Broadcom, BT Group, Cisco, Fortinet, Intel, Juniper Networks, Lumen Technologies, Palo Alto Networks, Verizon, and VMware. These recommendations come as nation-state threat actors have increased efforts to exploit hardware and software vulnerabilities.
According to the NRC’s whitepaper, one of the key areas for improvement is secure software development and lifecycle management. The coalition emphasizes secure-by-design and default product development for enhancing software supply chain security, aligning with government cybersecurity standards. This effort corresponds with the Biden Administration’s Executive Order 14208, calling for modernized cybersecurity standards and improved software supply chain security, as well as the Cybersecurity and Infrastructure Security Agency’s (CISA) Security-by-Design and Default guidance and the Cyber Security Act issued last year.
Eric Goldstein, the executive assistant director for cybersecurity at CISA, expressed surprise at the formation of the NRC and the release of the whitepaper, calling it a welcomed development. He remarked on the recent cooperation among networking providers, technology providers, and device manufacturers to collectively advance cybersecurity throughout the product ecosystem.
The NRC’s call on vendors to map their software development methodologies with NIST’s Secure Software Development Framework (SSDF) and support OpenEoX underscores the need for a comprehensive approach to cybersecurity. The coalition’s efforts align with initiatives to enhance transparency in software, establish secure build environments, and tighten software development processes. This coordinated approach should result in a significant improvement in security beyond critical infrastructure, according to Matt Fussa, the chief trust officer at Cisco.
Fussa also acknowledged that vendors have been slow to comply with executive orders for issuing SBOMs or self-attestation of open-source and third-party components in their offerings. However, he urged stakeholders to start adopting practices outlined in the new report with a sense of urgency, emphasizing the need for proactive measures against evolving security threats.
In an industry consortium, the NRC can incentivize members to follow its recommendations but cannot enforce them. Despite this, the coalition’s alignment with the Executive Order and the National Cybersecurity Strategy released by the White House last year suggests that adhering to these recommendations may become necessary under the law. Global practice director for infrastructure security at NCC Group, Jordan LaRose, sees the backing of ONCD and CISA as significant, although some may question the need to read the whitepaper when existing frameworks are available.
Carl Windsor, senior VP of product technology and solutions at Fortinet, emphasized the need to build security into products from day one, aligning with NIST standards. This proactive approach addresses the security challenges posed by rapidly evolving cyber threats.
The NRC and its recommendations are a response to the increasingly sophisticated cybersecurity threats posed by nation-state actors. The coalition’s focus on secure software development, lifecycle management, and risk identification aims to mitigate these threats and protect the integrity of critical infrastructure and beyond. As vendors and governments continue to collaborate on cybersecurity best practices, these efforts are expected to shape the future of cybersecurity standards and regulations in the United States and around the world.