The Forum on Cyber Resilience of the National Academies of Sciences, Engineering, and Medicine hosted a Workshop on Software Update at its Winter 2017 meeting on February 6, 2017, in Washington, D.C.
The workshop featured experts representing various industries, research laboratories, and government agencies. Speakers discussed experiences and challenges related to a range of issues surrounding software updates, reflecting on the historical evolution, exploring today’s tools and gaps, and considering future concerns and opportunities, especially as related to software update as a tool for improved cybersecurity and resilience. Participants identified key questions, suggested ideas, and closely examined uncertainties involved in improving software updates today and tomorrow.
The meeting was open to the public. This proceedings was created from the presenters’ slides and a full transcript of the workshop; it is intended to serve as a public record of the workshop presentations and discussions.
Fred B. Schneider, Ph.D., the Samuel B. Eckert Professor of Computer Science at Cornell University, member of the National Academy of Engineering, and Forum chair, opened
the meeting with a brief overview of the National Academies’ Forum on Cyber Resilience. He then introduced the workshop’s topic with a metaphor: recycling. Soda used to come only in large glass bottles, but eventually cheaper, more convenient metal cans and plastic bottles were introduced. The new packagings had an unfortunate side effect: increased litter. Rebate and recycling programs, as well as laws criminalizing litter, evolved to address this problem, although, Schneider noted, “It took a while to put all the right mechanisms in place.”
Like the landscape of soda bottles littering our streets before recycling, we now live in a world that is fast accumulating the remnants of “disposable” software, Schneider said. People constantly replace their devices, and software vulnerabilities are constantly discovered and fixed. But a great deal of vulnerable software remains in use. This software is desperately in need of updates that, for a variety of reasons, it’s not getting. This software and these vulnerable systems are a new form of litter.
Software update methods allow us to “cope with the reality that there are going to be vulnerabilities,” Schneider said, by either patching or replacing vulnerable software. As software continues to proliferate and our lives become ever more dependent on it, the consequences of vulnerabilities grow. Deploying updates securely is also an increasingly complex technical challenge. No longer are updates just one aspect of a developer’s responsibilities, but they have become a central aspect of the industry.
Although not updating software is clearly problematic for security, deploying software updates also comes with risks. If an update goes wrong, the device could break or provide an opening for attackers. Any sort of centralized or automated distribution of updates becomes an attractive target for attackers. Even sending physical disks with updates through the mail, a system previously used for updating flight-control software on commercial airplanes, is not necessarily secure. Updates also, as a side effect, advertise that previous versions of the software are vulnerable to attack, even pointing attackers to specific vulnerabilities that can be exploited in non-updated devices.
Recertification of software raises other issues. After performing an update, a Naval warship might require 6 months in port to recertify all of its systems, Schneider noted. The lengthy recertification process also required for airplanes and medical devices means that automated updates (such as the regularly scheduled updates from Microsoft, known as “Patch Tuesday”) would be untenable in those situations.
Economics is also a concern, underscored by the proliferation of ever-cheaper mobile devices and the applications people buy for them. At these low price points, or “hit-and-run sales,” manufacturers may assume they are not entering into a long-term relationship with consumers. Such manufacturers might not feel obligated to provide
software updates to provide the level of security that manufacturers of other types of products might provide. Users’ rights are also a factor: Deploying software updates can give manufacturers broad access to a user’s device, which raises potential privacy issues and creates antitrust minefields, Schneider said.
In short, cleaning up the “discarded soda bottles” of our Information Technology Ecosystem not only involves complex technical challenges, but economic, political, and social consequences, as well. The Forum provided a venue to dive into these issues, tease out nuances, and expose hidden assumptions surrounding the software updates.