Collaborating with private entities is a sure way to improve the security of open source software, said Allan Friedman, the senior advisor and strategist for the Cybersecurity and Infrastructure Strategy Agency (CISA), during day two of the Billington CyberSecurity Summit.
The CISA official recognized that there has been a recent push towards promoting the need for government solutions, and the fact that they can’t solve problems on their own.
“A couple years ago I was invited on a panel [called] ‘Public-Private Partnerships.’ I said, ‘No, no, I don’t do those. My work is productive,’” Friedman joked.
But in today’s cyber domain that partnership has become critical in figuring out “how we go from data to intelligence to action,” Friedman said when asked how the government can better partner with the private sector.
“I don’t think anyone wants to sit around and wait for agencies to build our own solutions because we’ll do it in three years, it won’t be very good, and the private sector will solve that problem in 18 months. So that’s where we see that partnership can benefit,” he said.
Friedman is also an advocate for the software bill of materials (SBOMs) and the resiliency it brings to the cybersecurity community.
“If you’re going to make software, buy software, or use software, you should probably know what’s in that software,” Friedman said.
The Log4j vulnerability – discovered last December – taught the government that they “need to know what’s under the hood.” And according to Friedman, SBOMs can do that. “It’s a list of ingredients,” he said.
“We always talk about resiliency in cybersecurity, and this is exactly what resiliency is. It’s about saying, ‘I know what I have so I can respond quickly, efficiently, and cost-effectively,” Friedman said.