White House Cyber Commission May Endorse Security Ratings System for Software

Orhan Cam/Shutterstock.com

Legendary Hacker "Mudge" expects to release results from security tests of 100,000 software programs as early as July.

Early results from consumer safety tests of about 100,000 software applications will be released as early as next month from the lab of famed cybersecurity whiz Mudge. 

Mudge, whose given name is Peter Zatko, launched the Cyber Independent Testing Lab after receiving a call from the Obama administration last summer, he said.

Now, the lab is ready to unveil preliminary ratings, after scrutinizing bugs (really developer errors) in tens of thousands of applications, he told Nextgov. Meanwhile, a White House commission already has suggested it will endorse the idea of product cybersecurity-ratings in recommendations due in December for the next president. 

The software tools under the lab’s microscope include everything from web browsers to industrial control systems, Mudge said. 

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The CITL consumer guidance is expected to look more like nutrition labels than mere Underwriters Lab (UL)-like markings. Think of a Consumer Reports for software security that would let users ranging from holiday shoppers to information security managers compare and contrast products.

A UL-like body for software integrity is "something that the commissioners have really been discussing and thinking though to the point that it’s, 'Can we put forth some type of recommendation that looks at that?'" Kiersten Todt, executive director of the White House Commission on Enhancing National Cybersecurity, told a federal advisory board last week. 

The Information Security and Privacy Advisory Board, while receptive to the general concept, cautioned that any sort of cybersecurity scores could create a false sense of security.

For example, cybercriminals have discovered ways to intercept seemingly tamper-proof communications on HTTPS webpages that sport those green padlocks, one board member noted.

According to Todt, the CITL rating regime doesn’t claim this is “a safe product,” and “it doesn't say it's going to prevent breaches,” rather, it indicates the level of risk the software poses.

Whenever conversations surrounding a UL or Good Housekeeping seal of approval for cyber come up, so do concerns about the footnotes underneath the symbol.

“It’s like the warning announcements on a drug commercial: 'Take it. It will make your feel better, but it could also make you die. It could also give you a heart attack,’” Todt said. It’s important to “ensure that the fine print doesn’t completely change the meaning of what a star is.”

Not a Hack-proof Certification or Seal of Approval

Last fall, the Defense Advanced Research Projects Agency, the Pentagon's emerging tech division, contracted CITL to evaluate the viability of a new organization that would screen software safety the way Underwriters Laboratories screens electronic device safety.

The study is expected to be completed by the end of 2016, DARPA spokesman Jared Adams told Nextgov earlier this week.

Mudge, a one-time DARPA researcher, most recently tinkered with code inside Google's Advanced Technologies and Projects Group. 

On June 29 of last year, he tweeted, "Goodbye Google ATAP, it was a blast. The White House asked if I would kindly create a #CyberUL, so here goes!"

At the time, there was some confusion as to whether this would be a new federal agency or part of the actual UL company.

Today, Mudge prefers to liken his testing model to the Consumer Reports approach to inspections.  

The CITL rating system "is most certainly not an opaque seal of approval” and there is no focus on certifications, he stressed.

The forthcoming “software quality and inherent vulnerability” results are based on a wide range of heuristics attackers themselves use to differentiate hard targets from soft targets, Mudge said.

Scores for Windows, Linux and OS X will be revealed in the upcoming preview.

Two counterintuitive findings: Sometimes, the more secure product is actually the cheaper one. Often, a security-focused product is the most vulnerable product.

The Underwriters Lab has its roots in 1890s assessments of lamp adjusters and fire alarm boxes, among other electrical appliances. Proposals for a CyberUL date back to a 1999 “call for action” by L0pht Heavy Industries, a hacker collective which counted Mudge among its members

In May 1998, way before Gmail or online banking became a thing, the L0pht crew testified on Capitol Hill, with Mudge seated front and center, about the looming dangers of bad internet security.