The National Defense Authorization Act for Fiscal Year 2023 – which, if passed, provides billions in funding for the American military and other critical areas of the government – has gone through the House of Reps and requires Senate approval before president Joe Biden can green light it .
This draft law contains a seemingly well-intentioned section on managing the risk of software-level attacks on the Department of Homeland Security and its supply chain of applications and online services.
With respect to new and existing government contracts, the proposed act requires a software vendor to provide: “A certification that each item listed on the submitted bill of materials is free from all known vulnerabilities or defects affecting the security of the end product or service. ”
This includes vulnerabilities listed in NIST’s National Vulnerability Database or any other CISA-designated database “that tracks security vulnerabilities and defects in open source or third-party developed software.”
In other words: Homeland Security can’t buy software with any known, registered security flaws.
While this is likely intended to prevent the exploitation of things like Log4j bugs by miscreants to compromise sensitive government systems, the act’s language at first glance is frustrating for some. For one thing, all code has bugs – so blocking purchases on that basis would halt the government’s procurement system in its mighty military-industrial tracks. Then there’s the issue of some bugs that aren’t actually a security risk being wrongly logged in vulnerability databases.
By a strict reading of this act, nothing would ever get deployed.
“This idea is just misguided at best and an impending sh*tshow at worst argued,” Chainguard co-founder and CEO Dan Lorenc.
Now the reality
However, there’s a big caveat. Uncle Sam can buy known buggy software if the contract includes “a notification relating to the plan to mitigate, repair, or resolve each security vulnerability or defect listed in the notification.” In other words, if a bug can be mitigated or is due to be fixed, it’s not a showstopper.
Still, the language sparked an outcry in the Twitterverse as well as concerns that software vendors will stop reporting CVEs – or companies competing for contracts will run bug bounties on each other.
“Policymakers: please stop considering requirements to eliminate all software vulnerabilities, or bans on sale of software with any vulnerabilities,” tweeted attorney Harley Lorenz Geiger, the senior policy director at Rapid7.
“Please understand that not all vulnerabilities are significant, or can or should be mitigated. Okay, thanks policymakers, good chat.”
Others, such as Luta Security CEO Katie Moussouris, urged security pros to take a deep breath and relax. The act allows government officials “to buy software with known CVEs that are mitigated,” she tweeted, adding that Uncle Sam “has to mitigate or accept the risk before deploying.”
Mauricio Sanchez, a research director at Dell’Oro Group who covers network security, told The Register that while he believes the legislators are well-intentioned, the language may put officials in an impossible position when it comes to purchasing technology.
“Unfortunately, it’s typical behavior of our legislators to issue mandates that describe the ‘what’ but not the ‘how,'” he said.
Sanchez said he sees this law bill playing out one of three ways, with regards to Congressfolk.
One: “They cave,” he said. “The technology lobbying arm or someone else raises a colossal stink that this is an untenable mandate (which it is), so legislators remove the wording.”
The second option: “They clarify,” which Sanchez noted involves lawmakers “doing the right thing” and making the mandate more practical as opposed to idealistic.
Finally, there’s a third scenario. “They punt,” Sanchez said. “They take the easy route, leave it in as is, and then claim to their constituency that they are pro-cybersecurity and improving US posture. This leaves federal agencies and courts to expend unnecessary time, energy, and money to clean and tighten up .”
He’s not too hopeful. “If I were a betting man,” Sanchez added, “I’d place the bet on number three.” ®