Open At Intel host Katherine Druckman spoke with Jack Cable, senior technical advisor at the Cybersecurity and Infrastructure Security Agency, or CISA, about his work at the agency focusing on securing the technology ecosystem and open source software. Enjoy this transcript of their conversation.
“We really focus on seeing how we can support the security of these critical systems that every American relies on every day. And there, we don't have, for the most part, concrete authorities. It really is on a voluntary basis that we're collaborating with private companies, that we're providing support to local governments and so on to help secure our nation's infrastructure.”
— Jack Cable, Senior Technical Advisor, CISA
Katherine Druckman: Hey Jack, thank you so much for taking time out of your very, very, very busy day here at All Things Open to talk to me about your work with CISA.
Jack Cable: Thanks so much for having me. Glad to be here.
Katherine Druckman: Awesome, I really appreciate it. If you would just introduce yourself a little bit and tell us who you are and what you do at CISA.
Jack Cable: My name is Jack Cable. I am currently a senior technical advisor at CISA, where I help lead the agency's work around Secure by Design, where we try to help secure the broader technology ecosystem, as well as open source software security. I come from a background in software development and security research. Gradually got more acquainted with the policy side of things and have been at CISA for just about two years.
What is CISA?
Katherine Druckman: Would you tell us what is CISA for anyone who doesn't know?
Jack Cable: That's a great question. CISA is the Cybersecurity and infrastructure Security Agency. We are the United States' Cyber Defense Agency, so we're tasked with protecting both the civilian federal government, as well as critical infrastructure. Fun fact, I think we're the second-newest federal agency after the Space Force. Congress created CISA in, I believe it was 2018. We've been around just for a couple years, but I think are starting to make our name more known in the cybersecurity world.
Katherine Druckman: Tell us a little bit more about your mandate.
CISA's Mission and Mandate
Jack Cable: CISA's mission really is to, of course, focus on defensive cyber security. And when it comes to that, we have two types of roles. One is with the civilian federal government. We are the manager for what's called the Federal Civilian Executive Branch, so that's pretty much every federal agency that's not an intelligence agency. NSA manages the same, Department of Defense and other intelligence agencies. We have authorities there, for instance, to issue directives telling agencies to, "Hey, you should go and patch your software because there's these bad known exploit vulnerabilities out there, or you should have a vulnerability disclosure policy." We do a lot focused on the federal government.
Open Source as Critical Infrastructure
Jack Cable: But then what's really cool about our mission and, in some ways, unique to government is our focus on pretty much everything else on critical infrastructure. And that's everything from banks to hospitals to school systems. We really focus on seeing how we can support the security of these critical systems that every American relies on every day. And there, we don't have, for the most part, concrete authorities. It really is on a voluntary basis that we're collaborating with private companies, that we're providing support to local governments and so on to help secure our nation's infrastructure.
CISA's Role in Open Source Security
Katherine Druckman: Let's talk about why you're here in particular at All Things Open. How important is the open source community to your work?
Jack Cable: Very much so. Well, let's think about it. CISA's mission, protecting critical infrastructure, what underpins every single sector of critical infrastructure, all of the software we're dependent on.
Katherine Druckman: Whole lot of open source.
Jack Cable: A lot of open source software. We recognize that we should be looking to work with the open source community to really help secure the broader open source ecosystem, whether it's to help benefit the security of critical infrastructure, whether it's to help protect the federal government, there's a clear role to play. But traditionally government hasn't been all that involved, for better or for worse.
What we want to focus on is seeing not how we can try to, say, show up and try to control or regulate open source community. We know it doesn't work that way. But rather see how we can show up as a community member and contribute what we can to help protect the broader open source ecosystem. And that's why we're here at All Things Open.
Collaborations and Initiatives
Katherine Druckman: What types of collaboration are you engaged in?
Jack Cable: We're doing a bunch. One of the things we did is back in March, we held a summit with many members, over 50 from various open source communities. We had package repositories there, we had open source foundations, we had individuals, we had some companies. And the goal was really to see how we can chart a collective path forward around security.
One of the things we did there is we held a tabletop exercise modeling response to what, at the time, this was March, a hypothetical vulnerability in a hypothetical open source package wound up looking somewhat like the XZ backdoor that came out about a month later. But what we heard from the community was that was quite helpful in modeling out how they would respond to vulnerabilities as it would surface quite soon. And then we were really able to leverage those relationships we established when XZ happened, we had real-time collaboration channels to be able to share information to look for other similar types of exploits similar to what happened with XZ and advance our state of security.
Katherine Druckman: Yeah, that's pretty exciting. Yeah, I was following that, for sure, because some of my colleagues from Intel were there. Some people I know from the OpenSSF were there. Very important work. Let's talk a little bit more about why open source is such critical infrastructure. It really is everywhere.
Secure by Design and Developer Resources
Jack Cable: It is. We published a roadmap for open source software security about a year ago, laying out how CISA is working to help secure the open source ecosystem. And the second goal of that is around understanding the prevalence of open source software that we're dependent upon. This is something that, of course, is really at the heart of what we need to be doing if we want to see how we can help protect the open source ecosystem. And the critical packages we're dependent on, we need to know, okay, what are say the most widely used open source packages, and in particular looking, say, across various sectors, what is that composition?
And that's something that I don't think anyone has super great data on today. It's not easy to get but is necessary. We're kicking off a few work streams to try to better understand that. We have some pilots ongoing, for instance, looking at operational technology and analyzing, say, components of software that are deployed in real operational technology environments to see if we can get a better sense of what sorts of open source software is there. That's really a big part of our goals. Of course, we are doing some work now, which we can get into, but we also want to see how we can pave the way for in the future if we want to, say, offer more support to some of these critical open source packages, how might we go about that?
Katherine Druckman: I'm a developer, right? And I'm working on an open source project, for example. Do you have resources to help me in that way or do you have guides? Tell me about how I might connect with your work.
Jack Cable: Yep, definitely. One of the related areas I work on at CISA is called Secure by Design. And that is coming from the perspective that we see this wide scale increase in cyber attacks every day, whether from nation state adversaries or cyber criminals. And we know that at the end of the day, what they're exploiting is usually quite basic and often preventable. Our goal is to make sure that technology companies who are most capable of building products securely from the start do that and really benefit the security of their customers in doing so.
We put out a white paper on Secure By Design back in October of last year with 17 U.S. and international partners. And since then, we've been putting out more guidance. We have a series we call Secure by Design Alerts, which focuses on particular classes of vulnerabilities and how those can be prevented, things like memory safety vulnerabilities or SQL injections. And then we also just published a document called Product Security Bad Practices with the FBI. And in this document, we label various software development patterns as bad practices. For instance, building a new product in a memory unsafe language, we'd say in 2024 poses an unacceptable risk to security in this day and age.
Katherine Druckman: Wow, very interesting. I'm wondering also, you're in a position to have access to a lot of really good data. You're kind of perched in a really interesting position to have a perspective on this entire open source ecosystem. What are the major things that….maintainers, contributors, users, vendors…what are the things that you would like all of us in the community to be really looking out for, especially in the coming year, the coming next five years?
Jack Cable: Yeah. I think one of the things that we've been focusing on that I think is talked about a little less often, but is crucially important, is some of the infrastructure that supports the open source ecosystem. Of course, there's a wide array of open source projects out there, but that is only possible by this infrastructure, whether it's package repositories or content delivery networks to host and deliver open source code. There's all this infrastructure and usually it's maintained by some resource constrained non-profits who operate these platforms.
What we've been focusing on at CISA is seeing how we can partner with these platforms to increase their security, recognizing that we've seen, for instance, these platforms being target for attacks and whether it's requiring multi-factor authentication for maintainers or other actions, there's a lot of potential to scale out security improvements. We worked with the Open Source Software Security Foundation, OpenSSF, to put out some guidance on principles for package repository security, laying out best practices that package repositories can use to really build out a roadmap, which may be helpful, for instance, when they're trying to get funding for some of these security improvements. And at the summit I mentioned, we highlighted how five major package repositories for Python, JavaScript, Rust, PHP, and Java are taking steps in line with this framework to secure their platforms.
Jack Cable's Journey into Cybersecurity
Katherine Druckman: Fantastic. I wondered if you could tell us a little bit more about how you got here. How did you get into this type of work that you're doing?
Jack Cable: Yep. Yeah, that's a great question. I took an interesting roundabout path. As I mentioned, I come from background in software development and security research. I got into software development in middle school, teaching myself coding, started out with web development, app development, making games and such. Then when I was in high school, I found myself in the world of security rather accidentally. I was poking around with an API of a cryptocurrency website and noticed I could send a negative amount of money to other people on the site. I didn't know much about security, but I knew that wasn't great because it would steal money from their accounts. Fortunately, they had a bug bounty program where I could report that. I got paid for it and started teaching myself more. That was all on the technical side.
Then I got invited to this thing called Hack the Pentagon, which was the first time the U.S. military was asking hackers to test their systems. I was 16 at the time. I was like, "Hey, why would the Pentagon be wanting my help?" It turns out that they could use it. That was my first exposure to government work.
Eventually, I saw that there's a lot of potential in government to scale out through policy some of these good security practices that we know need adoption. For instance, I did this fellowship called Tech Congress, which has a goal of placing people with technical backgrounds in U.S. Congress as staffers to work on tech policy. I did that, wrote a bill called the Securing Open Source Software Act, which was making its way through Congress and then eventually wound up at CISA. But I think all of this comes from the standpoint of seeing that there's things that could be done better from a technical standpoint and wanting to see how I could scale those approaches through policy.
Katherine Druckman: I'm actually giving a talk later today about open source security, and one of the things that I really like to talk about is empowering developers and empowering contributors and maintainers and all of us to be part of helping to solve these cybersecurity problems, right? We are all part of this open source community, and we all have a part to play in mitigating security vulnerabilities throughout the whole entire landscape. What advice do you have for people to empower themselves to shift left? What does that mean? All the way to when you begin thinking about a project or thinking about writing code? There's a lot of pressure, I think, on developers and maintainers. How can we as a community help educate, but also help support and empower all of those people?
Empowering the Open Source Community
Jack Cable: It starts from the standpoint of education. I think we need to get to a point where every software developer has a basic understanding of security, at least enough to know when they're doing something that might require calling someone else in. That's been an area that we've been advocating for, this idea that, say, every computer science program or other forms for software development education should include security in the kind of base requirements because it is so essential in this day and age.
But in terms of the developer standpoint, of course, we encourage developers to learn about security. I know OpenSSF, for instance, has some good free resources around that. But this also points to something that a growing number of companies have been talking about, this idea of developer experience, and in particular the perspective that companies really ought to make it hard for their developers to do the wrong thing from a security standpoint.
Google, for instance, has put out some good papers on how they foster secure developer ecosystems and build environments where, for instance, their developers just can't introduce certain classes of vulnerabilities because, say, the type of system or the language prohibits that. I think the more that we can do to encourage developers to try to build this out wherever they are, but make it so that there are secure defaults enforced, whether it's at the language level using a memory-safe language, whether it's using a secure web template framework, that makes it so it's easy to do the right thing from a security standpoint.
Katherine Druckman: Wow, I love that. Being easy to be secure by design, as you say, is I think most of the battle. If it can just be the default way of doing everything, then that solves a lot of problems for us.
What else are you most excited about in the open source community now?
Bridging the Gap Between Developers and Security Communities
Jack Cable: Yeah. Well, I think there's a lot of good momentum, particularly around open source security. And I'd say I've been pleasantly surprised integrating into, say, some of the OpenSSF working groups, from a government perspective at just how welcoming the community has been. Of course, kind of uncertain how the community would receive a government agency trying to step in and contribute. Again, not to take control of things, but just to offer support where we can.
But I think to me, there's really a unifying aspect where there is a shared common goal of fostering better security and anyone, whether they're a individual maintainer, whether they're at a company or so on, share these goals. Through engagements like with the summit we held or some of the follow-on events since then, being here at All Things Open, I think there is a lot of interest in seeing how we can continue to pave a path forward where again, security is easy, we and can achieve a more secure open source ecosystem.
Katherine Druckman: One final question as we wrap up here, and I often see security treated as an “other.” It's almost like it has been developers against security people, as if we're not all part of the same system and we don't have the same goals, which I think we do. How do we bridge that? How do we make people want to be secure by design? How do we make people embrace wanting to implement whatever they can to produce more secure software?
Conclusion and Final Thoughts
Jack Cable: Yeah, very much agree with the goals there. And this goes back to some of the education aspects. And I myself studied computer science at Stanford, wasn't required to take a security course, did so because I was interested in it.
Katherine Druckman: I'm glad you did.
Jack Cable: And I looked, I checked out of the, say, top 20 universities in the United States right now, I believe none of them requires security to graduate. We see this seemingly pervasive view that security is a sub-discipline. It's not a core part of being a software developer, but it's rather something you could go and specialize in, or if you want to do, say, a PhD, you can focus on that. But as part of your standard computer science software development education, not a necessity.
And if we think about other fields, say civil engineering, I don't think there's any kind of civil engineering program out there that treats safety as a sub-discipline. You don't have to take a separate class if you're interested in it in building bridges in a manner that they don't collapse because we've seen the impacts that can have, and we've seen the necessity to build safety in from the start. I think the more we can adopt that mindset across software development, the better, and to really give software developers a sense of ownership around security. It's same as we want developers to write high-quality code. Well, security is a necessary component of quality. If you want to be a strong effective developer, you need to have a good grasp. Again, you don't have to be an expert on security, but you at least need to understand the basics.
Katherine Druckman: Yeah. Well, thank you so much. I really appreciate it, and I appreciate you sharing your mission. I think it is a really good reminder that there are people out there working toward the common good. Is there anything that you wanted to talk about that we didn't get to?
Jack Cable: I think that covered most of it. Appreciate being able to discuss with you today.
Katherine Druckman: Fabulous, thank you so much.
Jack Cable: Thank you.
Katherine Druckman: You've been listening to Open at Intel. Be sure to check out more about Intel’s work in the open source community at Open.Intel, on X, or on LinkedIn. We hope you join us again next time to geek out about open source.
About the Guest
Jack Cable, Senior Technical Advisor, CISA
Jack Cable is a senior technical advisor at CISA, where he helps lead the agency’s work on open source software security and Secure by Design. At CISA, Jack authored CISA’s Open Source Software Security Roadmap and has co-led community efforts to standardize the security of package repositories. Prior to that, Jack worked as a TechCongress Fellow for the Senate Homeland Security and Governmental Affairs Committee, advising Chairman Gary Peters on cybersecurity policy, including election security and open source software security. There, Jack was the principal author of the Securing Open Source Software Act. He previously worked as a security architect at Krebs Stamos Group. Jack also served as an election security technical advisor at CISA, where he created Crossfeed, a pilot to scan election assets nationwide. Jack is a top bug bounty hacker, having identified over 350 vulnerabilities in hundreds of companies. After placing first in the Hack the Air Force bug bounty challenge, he began working at the Pentagon’s Defense Digital Service. Jack holds a bachelor’s degree in computer science from Stanford University and has published academic research on election security, ransomware, and cloud security.
About the Host
Katherine Druckman, Open Source Security Evangelist, Intel
Katherine Druckman, an Intel open source security evangelist, hosts the podcasts Open at Intel, Reality 2.0, and FLOSS Weekly. A security and privacy advocate, software engineer, and former digital director of Linux Journal, she's a long-time champion of open source and open standards. She is a software engineer and content creator with over a decade of experience in engineering, content strategy, product management, user experience, and technology evangelism. Find her on LinkedIn.