What does Software Intelligence have to do with securing the US’ critical infrastructure? The two may seem disconnected, but with the growing threat of cyber espionage and hacked systems, the time couldn’t be more right to bring these together.
Last week, the State of New York, where CAST is based, held its primary elections. Throughout the day, I thought about recent reports of hackable voting systems in Florida and elsewhere—a threat that the Department of Homeland Security (DHS) is addressing aggressively.
Robert Kolasky, Director of the DHS’S newly formed National Risk Management Center (NRMC), recently testified to a Senate Judiciary subcommittee on Crime and Terrorism that the NRMC sees the upcoming midterm elections as a “potential target for Russian cyber operations.” He adds that the organization is “working aggressively to mitigate any foreign threats to our election systems or infrastructure.”
Protecting the Vote—and Much More
The NRMC was created to encourage the private sector’s collaboration with the federal government to manage potential cyber threats—and voting systems are really just one element of its broad plan. The DHS has identified 16 critical infrastructure sectors in a wide range of industries and systems such as communications, financial services, energy, healthcare, and dam management.
The DHS is collaborating with state and local election officials in all 50 states, as well as voting-system vendors, to protect the election infrastructure. “Our Election Infrastructure-Information Sharing and Analysis Center now claims nearly 1,000 members,” said Kolasky, in his subcommittee testimony. However, he also acknowledges the technology deficits inherent in these election systems. “It will take significant and continual investment to ensure that systems are upgraded and [that] insecure or vulnerable systems are retired,” he added.
Let’s Take a Broader Approach
What I’d like to bring to this ongoing dialogue is the idea that yes, cyber threats to voting systems and any other federal, state, or local infrastructure are a serious concern. While committees and information sharing are a great thing, I believe we need to get serious about ensuring the software that runs infrastructure is robust and secure. As citizens, we should expect that all infrastructure is routinely assessed against a set of safety codes. This certainly happens for bridges and buildings, where we do routine assessments to ensure they won’t fall down. I believe we’ve reached the threshold where software is an important enough component of critical infrastructure to do the same. The most complete independent standard in the industry today to establish software security and reliability is the one published by the Consortium for IT Software Quality (CISQ). This should be applied to critical infrastructure software as a minimum bar to certify their safety and stability.
Software Intelligence: Part of the Solution
As a member of CISQ, our firm enables the organization’s rigorous software quality standards into automated software assessments. We’re answering the NRMC’s call to the private sector with a pledge: We’ll provide up to $20 million of pro bono CISQ assessments across those 16 critical sectors as a donation towards securing the nation’s voting and other critical infrastructures. Organizations can certify their software against the CISQ standard as a way to actually move the needle towards safer and more secure critical infrastructure.
We’re honored to share the wealth of our Software Intelligence – and eager to do our part in ensuring the integrity of voting systems and other vital infrastructures. Check in here for updates on our progress, particularly as we look towards November’s midterm Congressional elections.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.