SAN FRANCISCO — The pushback on Software Bill of Materials (SBOMs) inclusion for all devices, both sincerely and insincerely, is misguided and has done a disservice to progressing device security, said Josh Corman, vice president of cyber strategy for Claroty, on April 26 at the RSA Conference.
“JAVA has been doing this forever,” said Corman, who’s also the founder of I am the Cavalry and considered the “Father” of SBOM policy. “This started in the '40s, guys — not for cybersecurity but for business value, quality, and efficiency. [SBOMs] are not new, exotic, scary. So why are people so terrified?”
Opponents of including SBOMs with device submissions speak to added costs, the exposure of intellectual property, or even the possibility of creating a roadmap for attacking devices. As Corman mused, apply these same concepts to CVEs, MITRE Att&ck, or even reverse-engineering tools, and it reveals the bias or misplaced concerns.
But these arguments, however valid, cannot stop progress. Transparency and liability is coming for all vendors, confirmed by the White House National Cyber Strategy and the recent FDA actions around cyber requirements for medical device manufacturers.
SBOMS are in no way a silver bullet, it’s a data layer that equips security leaders to better perform their jobs. The label provides much needed transparency and data confirms that those with access to these critical documents are better equipped to remediate known issues when they arise.
How SBOMs helped organizations with the Log4j mitigation
One of the largest examples was seen with Log4j. According to one study, entities with access to SBOMs were less likely to face burnout and able to secure the impacted devices significantly faster than those without.
The biggest challenge faced by all groups, however, was the delay in response from supply chain vendors. Arguably, it’s the healthcare sector that faces one of the greatest challenges with transparency, particularly from device vendors.
Corman referred to the Log4j response at Sutter Health, one of the largest health systems in the country, and compared it with the response in the financial sector. An unnamed financial entity was able to secure the needed information from their vendor on Log4j, and within four days, they’d remediated 80% of 4,000 impacted applications.
On the other hand, after 480 days, Sutter Health has still not received the necessary data from 55% of the medical device and equipment vendors that would enable remediation of the flaws, explained Corman. And Sutter Health has “one of the most mature cyber safety programs in the country.”
That time gap doesn’t even refer to remediation. The health system isn’t even able to identify just where Log4j may exist within these mission critical devices, he added. Hospitals have “opaque supply chains.” More than a year after Log4j was disclosed and critical, life-saving devices remain at risk.
Most hospitals “have no idea what's in their own code.” Most vendors “cannot equip their customers to identify it by risk,” said Corman. “Opacity is going to kill people. Opacity probably has killed people. If we have the technology, let's apply the technology.”
To Corman, much of the pushback is sincere and rooted in a host of concerns, some of which are tied to possible exposure of the use of “unfixable technical debt” or even legal issues stemming from the use of open source technology without proper licensure.
The “newfound transparency” may indeed create legal exposure, or force a company to push many devices to end of life due to reliance on incredibly old versions of older platforms,” he explained. It’s true that it may be “cost prohibitive to remediate the risks you’ve been blindly passing on to your customers… whistling past the graveyard hoping no one would notice.”
“The presence of unfixable technical debt is true, whether you show it or not. And people are afraid of that revelation,” Corman continued. “People are worried about the ongoing scrutiny and accountability they may receive every time a known vulnerability exploit is reported.”
Are some of these concerns valid? Absolutely. But as Corman bluntly put it, these are also deviations from the “basic universal belief that security through obscurity is no security at all.”
Not only that, regulations are here, now, that make many of these arguments a moot point. While industry groups continue to push back on these elements, the FDA’s new authorities have mandated cyber requirements for all new medical device submissions, including an SBOM.
As SC Media reported, the FDA is already intervening when device submissions don’t include these necessary elements, ahead of the Oct. 1 deadline where they will deny applications for failing to meet requirements.
“These minimum cyber hygiene requirements were made possible, in part, because we can now see that these attacks on hospitals have contributed to loss of life,” said Corman. “Why will we not use any and all available information to equip us?”
“The key here is being forthright with your customers, setting expectations about if and when you may be able to fix these things or not, then they can make an informed adult decision,” he added. “Respect people enough to share the risks passed downstream to them.”
