Thursday, January 28, 2021

SBoM and DNS

The webinar (actually two webinars with substantially the same content) this Tuesday, to introduce use of software bills of materials (SBoMs) to the energy industry, was quite successful. We had good turnout for both webinars, and none of the speakers made a fool of themself. The speakers were:

·        Dr. Allan Friedman, the leader (fearless, to be sure) of the Software Transparency Initiative (STI) sponsored by the National Technology and Information Administration (NTIA) of the US Department of Commerce, provided a good overall introduction to SBoMs (which I believe was number 7,452 for him) and to the upcoming SBoM Proof of Concept for the electric power industry.

·        Ginger Wright and Andy Bochman of Idaho National Labs discussed their strong interest in seeing SBoMs become widely produced and widely used in the industry, and especially how widely available SBoMs will greatly facilitate the work that INL is conducting on the CyTRICS project.

·        Tom Alrich, who has been participating in the STI meetings and volunteered to help Allan organize the energy PoC, discussed what he considers to be the three most important use cases for SBoMs in the power industry (the subject of a future post), as well as another topic (subject of this post).

·        Jim Jacobson of Siemens Healthineers described the proofs of concept for the healthcare industry that started in 2018 and are still ongoing (and of which he is the co-leader), in ever-more-ambitious iterations.

·        Charlie Hart of Hitachi Automotive described why that industry, in this case led by the Autos-ISAC, has developed such a keen interest in SBoMs (due, truth be told, in no small part to Charlie’s own efforts!), with their own Proof of Concept (PoC) due to start in the near future.

The NTIA will sponsor further informational webinars for the industry, including 1-2 in February. I will publish those notices in my blog, but if you’re interested in receiving all notices directly, you should email Allan at afriedman@ntia.doc.gov so he can put you on the mailing list.

My second topic on Tuesday had to do with NTIA, what it does and most importantly what it doesn’t do. It doesn’t write or enforce regulations, standards, guidelines, Papal encyclicals, fatwas or anything like that. What it does do is find ways to help private industry overcome barriers that are impeding adoption of important new technologies.

Allan described the problem with SBoMs – which led NTIA to start the STI in 2018 – as a chicken-and-egg problem: Software suppliers aren’t producing SBoMs because their customers aren’t asking for them, but their customers aren’t asking for them because they know they’re not currently available. The solution to this problem is to get a small number of software suppliers and software users in a particular industry together to work out – in an antitrust-friendly, NDA-protected manner – processes for both producing and “consuming” SBoMs. Hence the PoCs.

But this isn’t NTIA’s first rodeo – in fact, they have been doing this sort of work for decades. They have a had a number of big successes (although they’re very modest – no word of them on their web site!), but the one both you and I can appreciate most is DNS. NTIA didn’t invent the idea of DNS, but they did put in place the processes need to administer it.

Although NTIA itself ran DNS in the early days, the goal was always to turn its administration over to the private sector. NTIA did this in the 1990s, when it outsourced administration of DNS to the Internet Assigned Numbers Authority (IANA), which runs it to this day (and currently has a budget of around $100 million).

Did IANA have to compel internet content providers and users to use DNS? No. To this day there are no regulations (that I know of, anyway) that compel anyone to use DNS. And if you really don’t want to use DNS – say, because your religion forbids it – you don’t have to. After all, every website has an IP v6 address like 2001:0db8:85a3:0000:0000:8a2e:0370:7334. As long as you know the address of the site you want to go to – and you can enter it without making a mistake – you will still be able to visit all of your favorite sites.

Similarly, if you want to get people to use your site without using DNS, you just have to give every user – and every potential new user, since the main purpose of most websites is to interest a larger audience in whatever the site provides – your address. And they can live a DNS-free life as well!

Of course, if you want to maintain the million-or-so daily users of your site (which happens to be the approximate number of daily readers of this blog, give or take a million or so), you’ll need to provide this address to each of those people. But there’s one catch: You can’t email it to them, since email uses DNS! You’ll have to call every one of them. A small price to pay to avoid using DNS, to be sure.

I guess you get the idea: anyone who uses the internet uses DNS constantly. Yet nobody is compelled to use it. What it took was someone to help the machine overcome the initial inertia and start moving on its own. That someone was NTIA. Of course, SBoMs will never be a concern of the average person; SBoMs won’t end hunger, stop global warming, or solve the fusion problem.

But if NTIA (and all the others working toward this end, since many other groups worldwide are promoting the concept) has their way, they will become almost part of the security landscape in say 5-10 years. And security professionals will wonder how they could have ever lived without SBoMs in the past, just as most of us can’t remember[i] a world without the internet and DNS.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] I remember the world without the internet and DNS quite well. What I can’t remember is how I could ever have been happy, knowing what I had to go through then to get information or to communicate with people far away in anything close to real time, for anything less than a king’s ransom.

No comments:

Post a Comment