On January 16, the National Security Agency (NSA), the Cybersecurity and Infrastructure Agency (CISA), the Defense Advanced Research Projects Agency (DARPA), and the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E) published a report that urges a national effort to better understand the behavior of software underpinning national security and critical infrastructure systems.
The Cybersecurity Information Sheet (CSI), “Closing the Software Understanding Gap,” points to the need for policy action, technical innovation, and resources to help systems owners and operators better construct and assess their software-controlled systems across all conditions – normal, abnormal, and hostile.
“A lack of understanding of software imposes risks on many critical systems that are dependent on software to run properly and as intended,” said Neal Ziring, NSA Research Technical Director. “This report is a national call for the government and private sectors to work together to prioritize understanding software as a national effort critical to the nation’s success in the future.”
Currently, the nation’s ability to build software outstrips its ability to understand it, leaving systems vulnerable to exploitation, the CSI states. Undiscovered behavior in software has exposed critical vulnerabilities in aircraft, military systems, and supply chains and impacted national security objectives, with the CSI citing numerous examples.
The CSI outlines a call to action to address gaps in software understanding through:
- Policy action – As technical capabilities mature, policy needs to evolve to require and formalize processes for characterizing software behavior before it is introduced into critical systems.
- Technical innovation – Technical capabilities for measuring software and reasoning about its behavior need to be developed to reduce risk. All suitable techniques, including formal methods and artificial intelligence, should be leveraged to develop rigorous, reliable, rapid, and inexpensive capabilities.
- Resources – Significant sustained investments in research, development, and engineering are needed to support a unified set of software understanding capabilities. Public and private partnerships with industry should also be explored to ensure practical and efficient solutions that can be leveraged across missions and diverse systems.
Read the full report here.
Source: NSA
Start 2025 ahead of the competition with a paid subscription to IC News. You’ll get full access to our searchable archive of 13,000+ articles, plus new articles each weekday.
By Loren Blinde
January 17, 2025
