Congress Cybersecurity & Tech

Cyber Supply Chain Security

Paul Rosenzweig
Tuesday, December 2, 2014, 11:30 AM
There are many ways to think about enhancing cybersecurity.  One, for example, is the prospect of software liability, which would, drive safer code.

Published by The Lawfare Institute
in Cooperation With
Brookings

There are many ways to think about enhancing cybersecurity.  One, for example, is the prospect of software liability, which would, drive safer code. Another, interesting take on the problem has just been offered by Representative Ed Royce, the Chairman of the House Committee on Foreign Affairs -- a proposal that he dubs the "Cyber Supply Chain Management and Transparency Act.  The bill is a response to the phenomenon of vulnerabilities in open source code (like the infamous Heartbleed bug) and would, broadly speaking, mandate that all contractors of software, firmware or products to the U.S. Government: "1) provide the procuring agency with a bill of materials of all third party and open source components used - along with their version numbers;  2) demonstrate that those component versions have no known vulnerabilities (NIST CVEs) for which less vulnerable alternatives are available (unless a written exception has been granted); 3) provide secure update mechanisms affording a prompt and agile response when new vulnerabilities are discovered in those products; and, 4) supply said fixes and remediation updates within a reasonable specified time." That's pretty interesting stuff.  I can see some possible arguments against it -- cost being a leading one that comes to mind.  But as an innovative way of addressing cyber security issues without imposing liability,  it deserves serious consideration.  I look forward to the bill's reintroduction next Congress and hearings ...

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare