www.hpe.com
Open in
urlscan Pro
2a02:26f0:6c00:2b1::1463
Public Scan
Submitted URL: http://app.connect.hpe.com/e/er?elq_mid=32958&elq_cid=49136555&s=2048&lid=203453&elqTrackId=834b66100cec407aa5c1bdc15723658...
Effective URL: https://www.hpe.com/us/en/insights/articles/what-makes-critical-software-critical-2108.html?jumpid=em_si4hnf7vpx_aid...
Submission: On October 22 via api from SE — Scanned from DE
Effective URL: https://www.hpe.com/us/en/insights/articles/what-makes-critical-software-critical-2108.html?jumpid=em_si4hnf7vpx_aid...
Submission: On October 22 via api from SE — Scanned from DE
Form analysis 3 forms found in the DOM
<form class="centered-content gn-search-form" data-di-form-track=""> <label for="gn-search-input" class="sr-only">Search</label> <input id="gn-search-input" type="text" class="js-search-input" placeholder="Search hpe.com" autocomplete="off"
spellcheck="false" name="s-query" data-di-id="#gn-search-input"> <button type="submit" class="gn-search-submit" title="Search" aria-label="Search" data-di-id="di-id-75d306a0-89a8652"> <svg xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" class="gn-icon" data-path="/content/dam/hpe/shared-publishing/SVG-Icons/search.svg" focusable="false" height="24px" role="presentation" viewBox="0 0 24 24" width="24px"
data-di-res-id="880c0667-a3dd6b3d" data-di-rand="1634923790174">
<path d="M22.3,23.9l-7.2-7.2c-1.6,1.3-3.6,2-5.8,2c-5.1,0-9.3-4.2-9.3-9.3c0-5.1,4.2-9.3,9.3-9.3c5.1,0,9.3,4.2,9.3,9.3 c0,2.2-0.7,4.2-2,5.8l7.2,7.2L22.3,23.9z M9.4,2.3c-3.9,0-7.1,3.2-7.1,7.1s3.2,7.1,7.1,7.1s7.1-3.2,7.1-7.1S13.3,2.3,9.4,2.3z">
</path>
</svg> </button> <button type="button" class="gn-search-close" title="Close" aria-label="Close" data-analytics-p13n-event="P13NAnalyticsCommon|Global_Nav_Header|Close_Button" data-p13n-analytics-initialized="true"
data-di-id="di-id-525847f9-f8313b1e"> <span class="close-icon"></span> <span class="close-text">Close</span> </button> </form><form class="filter-search body-copy" data-search-page="/us/en/insights/search-results.html" data-di-form-track=""> <input id="filter-search-input" class="search-input body-copy" placeholder="Search Enterprise.nxt" type="text"
data-di-id="#filter-search-input"> <label class="filter-search-label" for="filter-search-input">Search</label>
<div class="search-icons-container"> <button class="search-glass-btn search-icon" data-di-id="di-id-e4f50ed2-a95e9638"><span class="sr-only">Search</span></button>
<div class="vertical-line"></div> <button type="button" class="search-close-btn" data-di-id="di-id-e4f50ed2-a5c7ad4"><span class="sr-only">Close</span></button>
</div>
</form><form class="inputs-group" data-di-form-track=""> <label class="search-label" for="search-form-text">Search hpe.com</label> <input type="text" id="search-form-text" class="search-input js-search-input" name="q" placeholder="Help me find something"
autocomplete="off" value="" dir="ltr" spellcheck="false" data-di-id="#search-form-text"> <button type="submit" class="submit-btn" data-analytics-action="footer" data-analytics-value="footer|search"
data-analytics-p13n-event="P13NAnalyticsCommon|Global_Nav_Footer|Section(How_can_we_help)|Search" data-p13n-analytics-initialized="true" data-di-id="di-id-e0875dbe-37bda71b"> <span class="text-hide">Search hpe.com</span> <span
class="button-text">Search hpe.com</span> <em class="icon icon-nav-glass-search" aria-hidden="true"></em> </button> </form>Text Content
Skip to main content Hewlett Packard Enterprise Hewlett Packard Enterprise * Why HPE * Products * Support * Contact * * * * Sign In * * Search Close * Why HPE * Products * Support * Contact * Shop * United States (EN) HPE MyAccount HPE MyAccount -------------------------------------------------------------------------------- Experience Discover 2021 Experience Discover 2021 HPE MyAccount HPE MyAccount My Bookmarks My Bookmarks Manage account Manage Account Sign Out Sign Out Cube * Exploring what’s next in tech – Insights, information, and ideas for today’s IT and business leaders + Subscribe close Close Filter Search Search Close * All * AI * Analytics * Careers & Culture * Cloud & Hybrid IT * Data Center * DevOps * Digital Transformation * Edge & IoT * Security * Storage * The Doppler * Search Topics & Search Open Filter August 31, 2021 | By Christopher Null WHAT MAKES 'CRITICAL SOFTWARE' CRITICAL? Biden has ordered the government to secure critical software. A zero trust strategy is necessary to meet the goal. Let's get serious about cybersecurity. That was the unvarnished message delivered by the Biden administration in May, when officials unveiled an Executive Order designed to "chart a new course to improve the nation's cybersecurity and protect federal government networks." The order wasn't the usual lip service about the importance of computer security but rather was intended as a wake-up call to industry about the need for new safeguards. The government briefing mentioned recent high-profile attacks against important physical infrastructure and Internet security services. As the official running the briefing noted at the time, we now find ourselves under "constant, sophisticated, and malicious attack—[ranging] from nation-state adversaries to run-of-the-mill criminals." Executive Order 14028 is more than 8,000 words in length and runs the gamut from requiring threat and incident information to be shared among competitors to mandating implementation of zero trust architectures across all government agencies. One of the most talked-about components of the order involves a mandate to "enhance the security of the software supply chain," which includes developing plans to lock down what the order calls critical software. The catch: At the time of the order's release, no one really knew what critical software was, much less how to protect it. "...the federal government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software." Executive Order on Improving the Nation's Cybersecurity, May 12, 2021 WHAT IS CRITICAL SOFTWARE, ANYWAY? The Executive Order did spell out a strategy to get to that definition, however, giving the secretary of commerce 45 days to formally define critical software. In June, the National Institute of Standards and Technology (NIST) released a formal definition, another 3,300 words of dense material that lays out some new ground rules. Please read: Zero trust makes business secure by default As part of that, NIST defines critical software as any software that has any one of the following characteristics (or has dependencies upon any device with one of these characteristics): * Is designed to run with elevated privilege or manage privileges; * Has direct or privileged access to networking or computing resources; * Is designed to control access to data or operational technology; * Performs a function critical to trust; or * Operates outside of normal trust boundaries with privileged access. Drilling down further, NIST details a variety of specific categories of software that the definition applies to, including identity and access management systems, operating systems (real or virtual), web browsers, security software, various network and operations management systems, remote access tools, and backup utilities. The list is so exhaustive, observers say it would be hard to imagine a piece of software today that is not "critical" under the definition. In any event, the next deadline is in November, when guidelines on how to specifically enhance these critical software tools are set to be published. Pilot security programs developed under the guidelines are expected to be implemented in February 2022. PREPARING FOR DOOMSDAY Until that time, technology providers are preparing themselves for what is certain to be a mad scramble to secure systems that are sold to and used by government agencies. How complex will it be to turn critical software into software that operates safely? "This whole idea of criticality is that, whether it's hardware or software or data, it's required to be able to recover from a malware attack," says Tom Laffey, a distinguished technologist at Aruba, a Hewlett Packard Enterprise company, and noted expert in the development of secure computing systems. Laffey lays out a simplified scenario as an example: Imagine a device with boot firmware, like a PC. Under a critical software scenario, that firmware would include routines that continually authenticate the firmware, and should something turn out to be amiss due to a hacking attempt or other type of corruption, it can initiate a recovery operation—preferably automatically—that reverts the firmware to a known good version. "There will be some mechanism that basically says, 'I know that whatever I was normally going to boot is not trusted any longer, so I'm going to get a new load,'" Laffey explains. Please read: Constant scrutiny is the key to making zero trust happen "The intention of the people who wrote this is to make it automated," he says. That's a key point when you're talking about the thousands or millions of systems that can comprise key infrastructure networks. If each of those component systems becomes infected, remediation can quickly become a nightmare, as was the case when the nation of Estonia, including everything from its banking services to broadcasting capabilities, was brought to a standstill in 2007 during weeks of what appeared to be state-sponsored attacks brought on by a local political decision involving the relocation of a statue. If such critical systems can be redesigned to revert to a trusted state without human intervention after an exploit is detected, even massive attacks like that in Estonia could theoretically be staved off with relative ease. THE ROAD TO SECURE COMPUTING But putting that into practice won't be easy, which is why the mandate to protect critical systems is being pushed from government agencies to the providers of the software and services they use. "The idea isn't that the enterprises lock the software down," says Dan Desko, CEO of Echelon Cyber, a cybersecurity risk advisory. "It is more about holding the software providers accountable for producing products that are error free and that their code base is adequately protected from breach and implants." In other words, force software and hardware developers to design protections into their products, and the end user has a lot less to worry about. Laffey says an ecosystem for protecting critical software has been developing for years, but most perceive it as remaining mired in the research stage, perhaps because of the lack of any real mandate to bring the concept into production. That changes with the Executive Order. "I think across the industry we now see more people understanding what this is for and why people want it," he says, pointing to the availability of technologies that can now authenticate a variety of hardware, software, and firmware devices. Explore everything security. From trusted supply chain to zero trust, find the most up to date news and insights. Learn more BRINGING CRITICAL SYSTEM SECURITY TO THE MASSES While the Executive Order covers only government systems, it probably won't be long before the mandate trickles down to enterprises. Corporate America uses the same cloud computing services, telco networks, and computer operating systems that the government does, so whether they demand it or not, businesses that have no connection to government at all are likely to implement such security technologies in the near future as well. "If security can enable the generation of more business or can improve businesses, then it should be introduced," says Uri Bar-El, head of the cybersecurity practice at Qualitest, a software assurance and testing company. As such, it likely makes sense for all hardware and software developers to begin taking steps to implement trusted computing technologies into their products, whether they are perceived as critical or not. Eventually, such security routines may become a minimum business requirement for tech companies that market to government, businesses, or consumers. Please read: How enterprises are securing themselves with zero trust In addition to technology infrastructure providers like telcos and broadband services, financial services, healthcare, and utility organizations will likely be among the first to roll out these security tools, since disruption of their services can have a devastating human impact. And Microsoft is already getting in on the game, confirming reports that Windows 11, which arrives in October, will include Secure Boot routines that will not be bypassable. That will likely mean outlays for new hardware in many corners, as the new operating system will run only on recent model processors, released after 2017. But at the consumer level, protecting PCs is just the first step, warns Laffey. "You've got home routers, smart TVs, and cameras that are used for security—things that have been compromised in the past," he notes. "This type of protection has to go into those kinds of devices as well. And that could take a while." LESSONS FOR LEADERS * Biden's Executive Order may apply only to the federal government, but everyone needs to assess the security of their critical software and follow its lead. * The possibility that large numbers of critical systems would need quick remediation from an attack means that the only practical solution is an automated one. * Industry, including Microsoft with Windows 11, is already moving in the direction of requiring support for strong protection and recovery of systems. This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company. CHRISTOPHER NULL CEO, Null Media LLC 21 publications Christopher Null is an award-winning journalist, editor, and columnist with more than 20 years of experience working in business and technology journalism. He has worked as a top editor for PC Computing, Smart Business, and New Architect magazines, and was the founder of Mobile PC magazine in 2003, the first-ever periodical focused exclusively on mobile technology. Later, he spent more than four years writing about tech daily for Yahoo as a "The Working Guy" and six years as the tech columnist for Executive Travel magazine. Today, he continues to write regularly for Wired, PC World, and numerous other outlets while working as the CEO of Null Media LLC, a boutique content marketing and custom publishing firm. Show more Show less Related articleWhy would people continue to use methods known to be insecure? Mostly widespread use of them and inertia. Top 4 insecure standards we can't easily abandonWhy are we still swiping credit cards? Steven Vaughan-Nichols articleZero trust is fast becoming the default approach for protecting organizations' proprietary assets and data from today's relentless cyberattacks. How do we trust the untrustable?Trust must be earned Enterprise.nxt staff articleFor reasons of security, performance, cost, and just plain trouble, there are many apps you should pay others to run. Top 7 Internet applications you should probably outsourceDon't DIY your DNS Ericka Chickowski articleTools are ideal, but rigor and regularity are key for DIYers How to test your backup and restore plan—the right wayRestores fail a lot David Rand articleHere are best practices for embracing data in the modern enterprise. Getting the most from your data-driven transformation: 10 key principlesDevelop a data strategy Janice M. Zdankus & Anthony Delli Colli articleThese four people-related factors will determine whether your transformation progresses or stalls. Investing in people is key to successful transformationGood people make good transformation Anke Hirning CREATE AN HPE MY ACCOUNT Streamlined chat to sales and support, centralized access to your HPE account, plus the ability to bookmark Resource Library assets. Create Account CHRISTOPHER NULL CEO Null Media LLC 21 publications Christopher Null is an award-winning journalist, editor, and columnist with more than 20 years of experience working in business and technology journalism. He has worked as a top editor for PC Computing, Smart Business, and New Architect magazines, and was the founder of Mobile PC magazine in 2003, the first-ever periodical focused exclusively on mobile technology. Later, he spent more than four years writing about tech daily for Yahoo as a "The Working Guy" and six years as the tech columnist for Executive Travel magazine. Today, he continues to write regularly for Wired, PC World, and numerous other outlets while working as the CEO of Null Media LLC, a boutique content marketing and custom publishing firm. Show more Show less More by Christopher Null The cash for bugs business is booming. Here's why Why is it so difficult to harness energy from the ocean? Is it wrong to pay ransom? TOPICS * Security articleWhy would people continue to use methods known to be insecure? Mostly widespread use of them and inertia. Top 4 insecure standards we can't easily abandonWhy are we still swiping credit cards? Steven Vaughan-Nichols SUBSCRIBE TO THE ENTERPRISE.NXT NEWSLETTER Stay up to date on the tech trends that are impacting the future of business Subscribe now CREATE AN HPE MY ACCOUNT Streamlined chat to sales and support, centralized access to your HPE account, plus the ability to bookmark Resource Library assets. Create Account How can we help? Search hpe.com Search hpe.com Search hpe.com Buy How to Buy Product Product Support Email Email Sales Chat Chat with Sales Call HPE Contact HPE FOLLOW HPE Linkedin Twitter Facebook Youtube RSS Company About HPE Accessibility Careers Contact Us Corporate Responsibility Global Diversity & Inclusion HPE Modern Slavery Transparency Statement (PDF) Hewlett Packard Labs Investor Relations Leadership Public Policy Learn About Artificial Intelligence Cloud Computing Containers Machine Learning Enterprise Glossary News and Events News and Insights Newsroom HPE Discover Events Webinars PARTNERS Partner Programs Find a Partner Certifications support Product Support Software & Drivers Warranty Check Enhanced Support Services Education and Training Product Return and Recycling OEM Solutions Validate Equipment Parts Communities HPE Community Aruba Airheads HPE Tech Pro Community HPE Developer All Blogs and Forums Customer Resources Customer Stories How To Buy Financial Services Executive Briefing Center Email Signup Login Resource Library Video Gallery Voice of the Customer Signup FOLLOW HPE Linkedin Twitter Facebook Youtube RSS United States (en) © Copyright 2021 Hewlett Packard Enterprise Development LP * Privacy * Terms of Use * Ad Choices & Cookies * Do Not Sell My Personal Information * Sitemap Loading information, please wait Close Overlay Collapse Overlay - Back Link Loading information, please wait