Strengthening Product Security with SBOMs and Collaborative Governance

Strengthening Product Security with SBOMs and Collaborative Governance

The increase in cyber attacks against connected automotive, medical, and industrial products has not gone unnoticed by the Federal Government, as demonstrated by the recent release of the White House National Cybersecurity Strategy 2023. This strategy acknowledges the importance of protecting sensitive data and infrastructure from cyberattacks and lays out a framework for a joint public-private product security initiative.

The government’s inability to act swiftly upon earlier attacks on mission-critical infrastructure highlights gaps that Chief Product Security Officers (CPSOs) grappling with while trying to keep their devices secure in the field. With the current environment having them face more targeted attacks and the reputational damage they bring, practitioners are starting to ask “What’s the government’s responsibility towards laying a foundation for stronger and safer product security?”

Effective knowledge sharing

SBOMs (Software Bills of Materials) have been crowned the go-to for product security vulnerability management. 

With the growing need to comply with regulations, companies need to be able to defend critical infrastructure and protect valuable data. Not to mention more and more organizations are requiring SBOMs upon the delivery of products. Many companies lack the resources necessary to constantly scan, discover, and address vulnerable components embedded in devices across multi-facility networks. 

A joint approach is needed where organizations partner with the Federal Government– starting with sharing up to date SBOMs with the Federal Government. The more practitioners manage their SBOM repositories, the easier it will be to ensure business continuity, stability, and security of the critical infrastructure. Discovering vulnerabilities and assessing risky components in real time can only be effective if everyone pulls their weight by preparing a list of software components that is easily shareable both internally and externally with stakeholders.

Managing the full vulnerability landscape both within and outside their organizations requires proactive and ongoing collaboration between private organizations and the government. 

The private sector’s responsibility to manage and validate SBOMs 

Many manufacturers of connected devices now manage SBOMs, keeping them up to date with each software iteration since SBOMs are a key piece in spotting and handling vulnerabilities. 

Recognizing the strengths of the private sector and their ability to identify embedded components rapidly, the Federal Government wants to collaborate with organizations that follow best practices in an effort to protect the internet and the connected devices that rely on it. The private sector will use its expertise and the government will take legal action to combat cybercrime.

The new idea is taking the SBOMs directory to a level that enables the global ecosystem to detect and mitigate risks faster, together. 

Instead of a Tier-N supplier or manufacturer discovering a critical vulnerability and fixing it locally, they can alert the global SBOMs directory. This enables companies with fewer resources or less frequent scanning protocols to patch risky components before an incident occurs. A collaboration between the global product security ecosystem and the government is the key to efficient response to cyber-attacks.

So what’s the government’s role in this? 

From goose chase to resilience: government’s crucial role in cybersecurity

Being able to bounce back from cyber attacks is important. That’s part of the private sector’s job. But if we don’t do anything to deter cyber criminals, we’re going on a wild goose chase as new threat actors fill the voids that were left behind.

This is where the government’s responsibilities kick in. There are 3 things the government can do to support an effective product security game plan:

  1. Provide a safety net – The government’s role is to protect companies from cybersecurity-related legal liability as long as they follow predefined best security practices. 
  2. Impose legal repercussions – The government is the only organization that can execute the legal infrastructure to go after those who practice cybercrime.  
  3. Partner with allies – Despite its size, the US government can’t secure the internet on its own. The Federal Government will partner with allies to go after organizations that pose a risk to mission-critical infrastructure to ensure a safer global internal.

The ability of governments worldwide to take legal action against crimes that go beyond any border would cause wanna-be-cyber-criminals to think twice. 

Cracking down on cybercrime to secure the digital landscape

A common standard of security keeps the whole world safer and in the product security world that’s only possible with SBOMs as a foundational piece to any strategy. The idea to harness the community’s collective knowledge and the government’s legal power to go after current and future cybercriminals enables those who want to keep the internet safe, a comprehensive action plan while dismantling a lot more vulnerabilities in a shorter time. 

Governments who work together to go after cyber criminals and manufacturers will also come together to establish a common standard for device security protocols. *Ahem, SBOM, ahem*. All with the purpose of implementing industry best practices as a global standard for crucial product security tasks like managing and validating SBOMs, detecting and prioritizing vulnerabilities, managing incident response, and ensuring compliance with the regulation.