White House Cybersecurity Adviser Wants a 'Cleanliness Rating' for Software Security

Policymakers are considering a number of changes to the nation’s cybersecurity posture as a result of the SolarWinds supply chain attack discovered late last year, including data breach notification laws and greater oversight of the nation’s critical infrastructure.

In one of her first public appearances since joining the Biden White House, Deputy National Security Adviser Anne Neuberger floated another idea from an unlikely place: New York City dining establishments.

Neuberger, who previously served in top cybersecurity roles at the National Security Agency, highlighted a Michael Bloomberg-era policy of mandating city restaurants to post their sanitation rating—”A” “B” or “C”—on their front window to incentivize cleanliness. “It immediately put money on the problem,” Neuberger said Friday at a virtual conference held by the SANS Institute. “When restaurant owners saw that they were losing sales on the cleanliness of their restaurant, that visibility fundamentally illuminated the problem.”

“That’s where I’d love to get to in cybersecurity. Today as a network owner, if you’re trying to buy a technology like network management software, we have no way to know the cybersecurity practices used to build it or the level of risk we’re introducing to our networks by buying it,” Neuberger added. “If we had that visibility... then we can make decisions that put money on cybersecurity.”

The idea is similar to one that the Cybersecurity and Infrastructure Security Agency and other organizations have been working on for years—the use of what’s known as a software bill of materials. In the same way that manufacturers use a bill of materials to track parts in its supply chain, a software bill of materials would list out all the open source and commercial code that makes its way into the company’s products.

This added level of visibility would help organizations more easily identify when their systems might be exposed to supply chain vulnerabilities, which cybercriminals and state-sponsored threat groups exploit as a way to get into a target through a side door.

Neuberger also highlighted details about an expected executive order aimed at addressing the SolarWinds hack. According to Neuberger the order will “build in standards for software in critical areas” by addressing issues with public-private information sharing, how to do more coordinated incident response, and getting increased visibility into critical use software. It was not clear if the visibility initiative would look like the security ratings that she described earlier in the conversation.

In addition to the SolarWinds breach, Neuberger also brought up the recent attack on a Florida water treatment plant, in which a hacker tried to raise sodium hydroxide levels to dangerous amounts, as an example of an increased need for “rapid visibility.”

“Fortunately the breach was quickly detected and employees adjusted the controls to safe levels before any contaminated water reached the community,” she said. “The detection of the malicious activity was not by means of cybersecurity but rather serendipity and a really good person doing their job really well.”

Neuberger added that policymakers were taking the issue seriously, and that she expects it to be addressed quickly.

“We sometimes kick the can down the road, and the trend is not getting better—we know we need to address them with urgency,” she said.