The webinar (actually two webinars with substantially the same content) this Tuesday, to introduce use of software bills of materials (SBoMs) to the energy industry, was quite successful. We had good turnout for both webinars, and none of the speakers made a fool of themself. The speakers were:
·
Dr. Allan Friedman, the
leader (fearless, to be sure) of the Software Transparency Initiative (STI) sponsored
by the National Technology and Information Administration (NTIA) of the US
Department of Commerce, provided a good overall introduction to SBoMs (which I
believe was number 7,452 for him) and to the upcoming SBoM Proof of Concept for
the electric power industry.
·
Ginger Wright and Andy
Bochman of Idaho National Labs discussed their strong interest in seeing SBoMs
become widely produced and widely used in the industry, and especially how widely
available SBoMs will greatly facilitate the work that INL is conducting on the
CyTRICS project.
·
Tom Alrich, who has
been participating in the STI meetings and volunteered to help Allan organize
the energy PoC, discussed what he considers to be the three most important use
cases for SBoMs in the power industry (the subject of a future post), as well
as another topic (subject of this post).
·
Jim Jacobson of
Siemens Healthineers described the proofs of concept for the healthcare
industry that started in 2018 and are still ongoing (and of which he is the
co-leader), in ever-more-ambitious iterations.
·
Charlie Hart of Hitachi
Automotive described why that industry, in this case led by the Autos-ISAC, has
developed such a keen interest in SBoMs (due, truth be told, in no small part
to Charlie’s own efforts!), with their own Proof of Concept (PoC) due to start
in the near future.
The NTIA will sponsor further informational
webinars for the industry, including 1-2 in February. I will publish those
notices in my blog, but if you’re interested in receiving all notices directly,
you should email Allan at afriedman@ntia.doc.gov
so he can put you on the mailing list.
My second topic on Tuesday had to
do with NTIA, what it does and most importantly what it doesn’t do. It
doesn’t write or enforce regulations, standards, guidelines, Papal encyclicals,
fatwas or anything like that. What it does do is find ways to help private
industry overcome barriers that are impeding adoption of important new
technologies.
Allan described the problem with
SBoMs – which led NTIA to start the STI in 2018 – as a chicken-and-egg problem:
Software suppliers aren’t producing SBoMs because their customers aren’t asking
for them, but their customers aren’t asking for them because they know they’re
not currently available. The solution to this problem is to get a small number
of software suppliers and software users in a particular industry together to
work out – in an antitrust-friendly, NDA-protected manner – processes for both
producing and “consuming” SBoMs. Hence the PoCs.
But this isn’t NTIA’s first rodeo –
in fact, they have been doing this sort of work for decades. They have a had a
number of big successes (although they’re very modest – no word of them on
their web site!), but the one both you and I can appreciate most is DNS. NTIA
didn’t invent the idea of DNS, but they did put in place the processes need to
administer it.
Although NTIA itself ran DNS in
the early days, the goal was always to turn its administration over to the
private sector. NTIA did this in the 1990s, when it outsourced administration
of DNS to the Internet Assigned Numbers Authority (IANA), which runs it to this day (and
currently has a budget of around $100 million).
Did IANA have to compel internet
content providers and users to use DNS? No. To this day there are no
regulations (that I know of, anyway) that compel anyone to use DNS. And if you
really don’t want to use DNS – say, because your religion forbids it – you don’t
have to. After all, every website has an IP v6 address like 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
As long as you know the address of the site you want to go to – and you can
enter it without making a mistake – you will still be able to visit all of your
favorite sites.
Similarly, if you want to get
people to use your site without using DNS, you just have to give every user –
and every potential new user, since the main purpose of most websites is to
interest a larger audience in whatever the site provides – your address. And they
can live a DNS-free life as well!
Of course, if you want to maintain
the million-or-so daily users of your site (which happens to be the approximate
number of daily readers of this blog, give or take a million or so), you’ll
need to provide this address to each of those people. But there’s one catch:
You can’t email it to them, since email uses DNS! You’ll have to call every one
of them. A small price to pay to avoid using DNS, to be sure.
I guess you get the idea: anyone
who uses the internet uses DNS constantly. Yet nobody is compelled to use it.
What it took was someone to help the machine overcome the initial inertia and start
moving on its own. That someone was NTIA. Of course, SBoMs will never be a
concern of the average person; SBoMs won’t end hunger, stop global warming, or solve
the fusion problem.
But if NTIA (and all the others
working toward this end, since many other groups worldwide are promoting the
concept) has their way, they will become almost part of the security landscape
in say 5-10 years. And security professionals will wonder how they could have
ever lived without SBoMs in the past, just as most of us can’t remember[i] a world without the
internet and DNS.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] I
remember the world without the internet and DNS quite well. What I can’t
remember is how I could ever have been happy, knowing what I had to go through
then to get information or to communicate with people far away in anything
close to real time, for anything less than a king’s ransom.
No comments:
Post a Comment