The Executive Order on “Improving our Nation’s Cybersecurity” seemed very important to me when it was issued on May 12. And now that I’ve had a month to discuss it with others, it seems…more important than ever. As luck (and a timely suggestion) would have it, I’ll be participating in a webinar on the EO next Tuesday. The speakers form a great not-the-usual-talking-heads group, all of whom will have very interesting perspectives on the issue of software supply chain cybersecurity - which IMHO is the number one source of supply chain cybersecurity threats nowadays, and perhaps the number two cybersecurity threat worldwide, after ransomware.
I can almost guarantee you’ve
never heard from any of the panelists before (other than me, of course. I can’t
help that), and that you probably haven’t even heard of some of the things they’re
going to talk about. But that’s good – I can also almost guarantee that before last
December, you had never even considered the idea that the SolarWinds software
development process could be the locus of the most consequential cyberattack on
the US in many years, if not ever. I certainly hadn’t, but here we are…
The speakers and their topics are:
·
Cole Kennedy, Director
of Defense Initiatives, BoxBoat – on why software bills of materials are needed.
· Jon Meadows, Managing
Director, Citi – on verifying software. Jon’s title doesn’t tell you much about
him, but from having talked with him, I can guarantee that he has a great
understanding of supply chain security – especially the software supply chain –
and how the different parts all fit together. He’s not to be missed.
·
Rob Slaughter, CEO,
Defense Unicorns – on DoD’s Platform One Customer DevSecOps platform.
· Andres Vega of VMWare.
He’s in charge of product security for VMWare’s Tanzu platform and will discuss
how VMWare is addressing the EO.
· Me – on “critical
software”, perhaps the most important term in the EO. This is quite
controversial, and many different groups are weighing in on how this should be
interpreted (the EO asks NIST to define it). Of course, they're doing this because of the big consequences
of the decision on what will and won't fall within that definition. However, I’m happy to
report that all parties agree on one thing: The EO’s own suggestion for how “critical
software” should be defined misses the point. But they all have a different idea of what "the point" should be.
Signup is here. I hope to see you next Tuesday!
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you
have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment