Blog

Tackling the National Gap in Software Understanding

We invite software analysis experts and mission owners to engage with CISA and our partners at DARPA, OUSD R&E, NSA, and National Nuclear Security Agency as we collectively shape research priorities and maintain a sustained focus on addressing this critical challenge.
Released

By Chris Butera, Acting Executive Assistant Director for Cybersecurity and Christine Lai, Cybersecurity Research & Development Lead  

Related topics:
Partnerships and Collaboration, Cybersecurity Best Practices

As the Nation’s cyber defense agency, CISA jointly leads an interagency effort to tackle the national gap in software understanding. We are driving efforts that enhance the ability to construct and analyze software to understand its functionality, safety, and security before organizations place it into use, both as producers and consumers of software. Given our mission to understand, manage, and reduce risk to cyber and critical infrastructure, CISA is advocating for capabilities to thoroughly examine and scrutinize software under normal, abnormal, and hostile conditions. These capabilities must scale to the scope of the mission while delivering cost-efficient, reliable, and actionable answers.

Background: 

Earlier this year, CISA, the Defense Advanced Research Projects Agency (DARPA), the Office of the Under Secretary of Defense for Research and Engineering (OUSD R&E), and the National Security Agency (NSA) published a joint report, Closing the Software Understanding Gap.  The report provides recommendations to take deliberate and coordinated measures to close this gap before our adversaries can exploit it.

Manufacturers and developers should design software for analysis—that is, design it to support independent efforts to scrutinize its artifacts rather than just source code. This scrutiny helps make software more secure by enabling verification and validation of its possible behavior before organizations and individuals place it into use. 

New Report

To start addressing this need, Sandia National Laboratories recently published a report, The National Need for Software Understanding. This report describes the software understanding gap, the risk it poses to national security and critical infrastructure missions, historical decisions that led to the gap, and options to address it.

The software understanding gap is a difficult challenge to address, but one that is vital to solve. Closing the gap will likely require robust public-private collaboration to create the necessary capabilities. 

Call to Action: 

By providing an adequate capacity for software understanding, the United States will harden critical infrastructure against state-sponsored activity and secure an advantage in geopolitics for the foreseeable future.  We invite software analysis experts and mission owners to engage with CISA and our partners at DARPA, OUSD R&E, NSA, and National Nuclear Security Agency as we collectively shape research priorities and maintain a sustained focus on addressing this critical challenge.

Related Articles