Full Report
In a joint report with DARPA and others, the cyber agency said that knowledge gap “exacerbates” risks posed by threat actors in U.S. critical infrastructure. The post Closing software-understanding gap is critical to national security, CISA says appeared first on CyberScoop.
Analysis Summary
# Main Topic
Closing the "software understanding gap" is critical for U.S. national security, as a lack of comprehensive knowledge regarding software functionality, safety, and security in critical infrastructure exacerbates risks posed by foreign threat actors.
This finding is articulated in a joint report by CISA, DARPA, the Office of the Under Secretary of Defense for Research and Engineering, and the NSA.
## Key Points
- The knowledge gap is specifically defined as a "disparity of technical investment," where investment in software production significantly outpaces investment in improved software understanding.
- This gap is worsening the risks posed by state-sponsored activity within U.S. critical infrastructure sectors.
- CISA and partners urge the U.S. Government (USG) to take "decisive and coordinated" action to properly assess software-controlled systems.
- The fundamental recommendation is for software manufacturers to align with Secure by Design principles.
## Threat Actors
- **China (Strategic Competitor):** Highlighted as having achieved an "elevated position" through sustained, multi-pronged national policy and technology investments, enhancing both offensive and defensive capabilities to manipulate and exploit software vulnerabilities. China also possesses a regime to reduce dependency on foreign supply chain software.
- **Russia:** Mentioned in the context of having reportedly "demanded access to software details in exchange for access to its markets," suggesting leverage efforts tied to software dependencies.
- **General State-Sponsored Activity:** Posing imminent threats to national security networks.
## TTPs
*Due to the high-level nature of the article focusing on a systemic gap rather than a specific attack, explicit TTPs (Tactics, Techniques, and Procedures) are not detailed. The core issue relates to the *exploitation* of poor software understanding, which enables exploitation.*
- Exploitation of software vulnerabilities stemming from the understanding gap.
- Manipulation of software supply chains (implied via China discussion).
## Affected Systems
The vulnerability manifests primarily in U.S. critical infrastructure networks, specifically mentioning:
- Energy systems
- Transportation systems
- Telecommunications (Telecom) systems
- Water and wastewater systems
## Mitigations
- **Government Action:** The USG must enact "decisive and coordinated" action to close the software understanding gap.
- **Software Manufacturing:** Software manufacturers must align to **Secure by Design principles**.
- **Assessment:** Comprehensive assessment of software-controlled systems is needed to verify functionality, safety, and security under all conditions.
## Conclusion
The lack of deep technical understanding of the software underpinning critical infrastructure creates severe national security vulnerabilities, particularly against strategic competitors like China who are heavily investing in gaining capability in this area. Immediate, coordinated efforts focusing on shifting investment toward software understanding and enforcing Secure by Design principles are deemed essential to mitigate escalating risks.