Sun Tzu once said, “know thy enemy and know yourself.” To this advice, cybersecurity professionals would likely add, “know thy friends.” The recent high-profile cybersecurity incidents involving SolarWinds, Accellion, and Microsoft have made it clear that good cybersecurity no longer begins at an organization’s digital front door. Protecting your networks increasingly requires at least a baseline understanding of the cyber hygiene of your vendors, suppliers, servicers, and anyone else that may have access to or whose products are installed on your network.
Hackers have long tried to exploit third parties to infiltrate United States infrastructure and private companies, but cybersecurity experts and industry leaders agree that these recent attacks represent an emerging trend relying on sophisticated new methods considered the most advanced to date. Understanding supply-chain risk has come into focus as thousands of organizations, including Fortune 500 companies and government agencies, have been impacted by attacks not on their own organizations, but on their service providers.
SecurityScorecard and Exiger recently hosted a webinar with Katie Arrington, CISO A&S of the United States Department of Defense, Bob Kolasky, Director of the Cybersecurity and Infrastructure Agency’s (CISA) National Risk Management Center (NRMC), Brandon Daniels, President of Global Markets at Exiger, and Sam Kassoumeh, Co-Founder and COO of SecurityScorecard, where they discussed the federal government’s push to create a resilient industrial base. Here are some of the key takeaways from the discussion.
The aftermath of the SolarWinds attack
Supply chain risk management had become, as Arrington put it, the buzzword of the day long before the SolarWinds attack. Yet, months after the breach, the federal government is still working to fully understand the extent to which critical supply chains have been affected.
“The scale of impact and remediation was much more complicated than many of these incidents that we’ve seen in the past,” said Kolasky. “We all need to get better at understanding where there is software that has access to important systems. We need to invest more in zero trust environments.”
While the panelists repeatedly made clear that no IT system will ever be 100 percent secure 100 percent of the time, the only way to buy down risk is through two key pillars: maximizing your organization’s understanding of everyone it transacts business with, and free-flowing information sharing between the public and private sectors. Even the Department of Defense does not rely exclusively on classified intelligence information. As Katie Arrington noted, its resources are best allocated when it takes what information it obtains from the commercial sector and infuses that with information from the intelligence community to make data-driven decisions.
The NRMC, which is the Cybersecurity and Infrastructure Security Agency’s (CISA) center for collaborative risk management, brings together key stakeholders from the public and private sector to manage risks to critical infrastructure. To the agency, it’s imperative to not only understand the fallout from the breach, but to share its intelligence with those who were affected, and with those who can help remediate issues stemming from the incident.
A formidable opponent
This public-private collaboration is critical. Cyberthreats often come from sophisticated state-sponsored actors that have the time and financial resources to overwhelm their targets. Unlike conventional weapons, aimed by one national army at another national army on a battlefield, these foreign, state-sponsored actors are targeting any vulnerability they can find, in both private and public institutions. It is unreasonable to expect even the largest, most sophisticated private business to have the resources to defend itself by itself.
“Adversaries are always looking for new ways to get in, and you don’t want to blame the victim when a nation-state is spending hundreds of thousands of man-hours to create something,” Katie Arrington said. “A small company is not going to be able to withstand that.”
Unlike malicious actors backed by nation-states, security professionals do not have unlimited time and resources, and a data breach within a small, downstream vendor can have serious ramifications for the organizations it serves. “Our vendor ecosystem is just as important as our people and processes,” said Brandon Daniels, President of Global Markets at Exiger. “We can’t draw the line at our doorstep when it comes to security, because our vendor ecosystem is much bigger than that, and it represents our ability to deliver.”
The need for visibility
Previously, CISOs were not equipped with the tools that would allow them to gain visibility of their third-party networks. While the point-in-time assessments they relied on — such as audits and questionnaires — provided some value, they also left security leaders vulnerable to the blind spots and security gaps that arise between assessments.
“Sunlight really is the best disinfectant. Since the advent of the cloud, we’ve become increasingly reliant on others to operate our businesses, but we do not have the same visibility into the security programs of those companies with whom we’re doing business, “ said Sam Kassoumeh, Chief Operating Officer and Co-Founder of SecurityScorecard. “It’s as if my business partners were marbles, the bag of marbles has been dumped on the ground, and I’ve been told to find the marbles that represent my critical business partners. In reality, the risk comes from not just my critical partners, but all of my partners. The holistic view is critically important.”
In response to the SolarWinds attack, the White House has requested a $110 million increase in the 2022 budget for CISA, and is even preparing an executive order that would require software vendors to notify the government agencies they serve if they sustain a data breach. Webinar host Sachin Bansal, General Counsel at SecurityScorecard, asked the government panelists to share their thoughts on this pending action from the Biden administration:
“This is nothing new,” said Arrington, who cited a host of existing measures addressing software provenance, such as 2339 Alpha, which allows the DoD to exclude products from procurement that introduce undue risk to government customers. To Kolasky, the executive order is part of a larger conversation about information sharing which is critical in an increasingly interconnected business ecosystem, as a compromised vendor will have handled the data of many buyers.
A joint effort between the public and private sectors
The panelists agree that there is no silver bullet to make all systems completely secure. A variety of tactics, strategies, and technologies need to be implemented in order to safeguard our infrastructure. Public and private sector organizations must work together to gather and share intelligence, which promotes sound risk-management decision-making.
“We can’t do it alone,” said Katie Arrington, who stressed that government and industry are essentially one and the same when it comes to developing the tools and practices that preserve national security. By increasing awareness of where risk resides within vendor ecosystems, and by tracking and presenting that information continuously to partners and regulators, organizations can shape strategy more effectively—and drive accountability among those they do business with.
Access the webinar and learn more about how SecurityScorecard and Exiger enable government agencies and their suppliers to gain visibility and communicate around supply chain risk. Exiger’s DDIQ automated due-diligence platform and SecurityScorecard combine to create a common operating picture across cyber, financial, operational, and reputational risks to combat the ever-evolving threat landscape that corporations and government agencies are forced to navigate.