A democratized approach to cybersecurity risk management that leverages continuous monitoring and public-private partnerships is overdue, and critical, for today’s cyber threat environment.
Executive Summary
Although the Biden administration, U.S. Congress, Department of Homeland Security, and CISA, have accelerated cybersecurity efforts over the last year, the fact remains that the majority of critical infrastructure in America is owned by the private sector, giving Federal agencies limited visibility into the nation’s overall cybersecurity.
SecurityScorecard believes in utilizing new and evolving tools which democratize the approach to cybersecurity and strengthen public-private partnerships to keep America’s infrastructure safe.
Cybersecurity is everyone’s responsibility, and senior corporate leadership must understand what their cyber risk is and how it affects business risk.
We need to move cybersecurity efforts to get “left of boom”–using tools like cyber security ratings to surface cybersecurity vulnerabilities in real-time.
Russian cyber aggression and malicious cyber activity extended well before the invasion of Ukraine in February 2022. The invasion threatens U.S. homeland security and especially critical infrastructure owners and operators, who would likely bear the brunt of any retaliatory attacks by Russia for the U.S. support of Ukraine.
In response to intelligence indicating that the Russian government is exploring options for potential cyberattacks, the Biden Administration and Congress have accelerated cybersecurity policymaking and programs to combat this persistent and growing threat—including the president’s sweeping Executive Order to Improve the Nation’s Cybersecurity; the U.S. House of Representatives’ Committee on Homeland Security’s creation of, and critical investments in, a new State and Local Cybersecurity grant program; and the recent passage of cyber incident reporting legislation as part of the Fiscal Year 2022 Appropriations law. While these critical efforts have energized and improved federal responses to cyber attacks, more work is needed, especially to defend U.S. critical infrastructure.
The overwhelming majority of critical infrastructure is owned and operated by the private sector, and Federal agencies have limited visibility or authorities to ensure that this infrastructure is adequately secure. Our position at SecurityScorecard is that America needs a more democratized, integrated, collaborative approach that pushes out the borders of organizational cybersecurity, provides continuous visibility of the threat landscape, and brings the public and private sectors together to protect the nation’s most important assets.
SecurityScorecard believes cyber security ratings can serve as a nexus to fulfill these needs.
A Democratized Approach to Cybersecurity
SecurityScorecard’s mission is simple: to make the world a safer place by transforming the way companies understand, improve, and communicate cybersecurity risks to their Boards, employees, and vendors. Cybersecurity is everyone’s responsibility, and senior corporate leadership must understand what their cyber risk is and how it affects business risk.
Everyone, in every organization–from the Department of Defense to one-person small businesses–bears some responsibility to protect their organization’s networks through basic steps for good cyber hygiene like:
Immediately downloading software patches and updates,
Avoiding phishing emails,
Refreshing their understanding of cybersecurity best practices through training and education.
However, we also know that, even at the most highly secure organizations, mistakes happen.
What SecurityScorecard proposes is a more democratized approach to cybersecurity. Everyone needs to understand the cyber risk environment in which we operate, as well as their responsibilities in cyber defense. More shared data and a quantitative understanding of the risk can empower both the owners and the operators of critical infrastructure, as well as the federal sector risk management agencies that bear federal responsibility for the cybersecurity of those industries. This approach also relies on key public-private partnerships, novel cyber defense collaborations, and strong information-sharing practices.
Leveraging Public-Private Partnerships
The Cybersecurity and Infrastructure Security Agency (CISA) is demonstrating the effectiveness and importance of public-private collaboration in a number of ways. Its “Shields Up” web page is a forward-leaning and supportive initiative by the federal government to mobilize public and private assets in defense of the homeland. Through this webpage, CISA shares critical information, presents clear technical guidance, and directs the nation to free cybersecurity services and tools–all in a centralized location.
Earlier this month, SecurityScorecard’s Global Investigations team identified three separate DDoS attacks which all targeted Ukrainian government and financial websites leading up to and during Russia’s invasion of Ukraine. Details of these DDoS attacks had not yet been publicly identified. Working with CISA, SecurityScorecard was able to share this information and disseminate it centrally through the Shields Up Technical Guidance webpage.
CISA Director Jen Easterly’s bold leadership and direction also includes the standup of the Joint Cyber Defense Collaborative (JCDC). As she and others have so eloquently stated, “cybersecurity is a team sport.” The JCDC team breathes life into this statement. This collaboration between critical infrastructure owners and operators and the Federal Government is already strengthening the nation’s cyber defenses through planning, preparation, and information sharing, and it will only increase in reach as the JCDC matures institutionally and expands its membership.
Information Sharing – ISACs and Nonprofit Organizations
U.S. Information Sharing and Analysis Centers (ISACs) also play a critical role in disseminating threat information and technical guidance (e.g., TTPs, IOCs, etc.) to their members. SecurityScorecard believes critical infrastructure owners and operators, across every sector (e.g., water, financial services, information technology, etc.), should lean on and utilize the tools, services, and community built by the ISACs, especially in a high cyber threat environment.
SecurityScorecard is proud to support 14 industry ISACs through our ISAC Partner Program, which provides ISACs with visibility into the threat landscape of every member and a better understanding of industry-wide risk. Our ratings enable ISAC members to understand and secure their own digital ecosystems, share threat information, and monitor the cyber risks presented by their supply chains and vendors that they rely on to run their businesses.
Nonprofit organizations focused on cybersecurity, like the Global Cyber Alliance and Cyber Threat Alliance, additionally extend the information-sharing ecosystem by “building programs, partnerships, and tools to make the connected world safer and more secure for all” and “working to improve the cybersecurity of our global digital ecosystem by enabling near real-time, high-quality cyber threat information sharing among companies and organizations in the cybersecurity field.” The power of these partnerships and others like them help all who contribute to them, and they are as critical today as ever.
State-based nonprofit organizations add state, local, tribal, and territorial (SLTT) government-specific expertise in an immeasurable way to the broader information sharing environment. Congress’ recent investments in the Center for Internet Security and Multi-State ISAC in the Fiscal Year 2022 Omnibus Appropriations Act will be essential to help SLTT entities secure their systems from attacks. Other frontline state-based nonprofits, like the National Association of Counties (NACo) will soon benefit from the State and Local Government Grant program this committee created. These grants will bring critical cybersecurity investments to critical front line SLTT officials and reinforce a democratized approach to cyber defense.
Partnerships like these create trust and strengthen the information-sharing ecosystem necessary to protect against malicious threat actors. A Russian cyber threat actor only needs one vulnerability to penetrate many systems through the use of a single cyber attack. As made clear by the U.S. House of Representatives’ Committee on Homeland Security last summer, in hearings related to the cyber attack on Colonial Pipeline, an attack on U.S. critical infrastructure can have cascading negative effects that extend far beyond a single network or end-user.
A New Risk Management Approach
Cybersecurity is About Risk Management – The Biden Administration’s recent warnings of increased Russian cyber activity—to include probing and scanning of U.S. critical infrastructure—underscore the need to manage cybersecurity risk now, before a cyber attack. We need to move our cybersecurity efforts, and think more deliberately, “left of boom” (i.e., before an attack).
This approach accepts the simple premise that cybersecurity is about risk management. It accepts that everyone is at risk, and that measures taken now will decrease the likelihood of a significant cyber attack later. It’s the cyber adaptation of the old adage, “an ounce of prevention is worth a pound of cure.”
Security ratings provide several integral “left of boom” tools to decrease the likelihood of a cyber attack and measurably and practically strengthen any entity’s cybersecurity. For example:
Increase Cyber Hygiene – SecurityScorecard subscribes to CISA’s guidance that all organizations should take certain foundational measures to implement a strong cybersecurity program. This includes:
Fixing known security flaws in software
Implementing multi-factor authentication
Signing up for CISA’s free Cyber Hygiene Services
SecurityScorecard plays a vital role here because security ratings can surface organizational flaws in cyber hygiene, allowing critical infrastructure owners and operators to raise their baseline cybersecurity posture and reduce their online attack surface.
Continuous Self-Monitoring – Continuous monitoring tools, like SecurityScorecard’s, allow companies to automatically see their online risk exposure. While many organizations employ continuous monitoring capabilities on their internal networks, these capabilities surface issues only after it is too late and an unwanted intrusion has already occurred. Security ratings push out the borders of organizational cyber defense by giving them an outside-in view of their threat landscape, letting them “see what the hacker sees.” Free services and tools like ours can also alert companies to new threats or vulnerabilities on a daily basis, and allow critical infrastructure owners and operators to proactively manage their cyber risks.
Third Party Risk Management and Zero Trust – Though monitoring one’s own network is necessary, it is no longer sufficient. Companies must also monitor the risk presented to them and their business network by third-party vendors. Over half of all cyber intrusions occur through third-party connections. The Russian Federation has already leveraged this attack vector to enter federal information systems in the past through SolarWinds. Annual security questionnaires and even less frequent penetration test results are no longer sufficient for organizations to understand their entire threat landscape A true Zero Trust Architecture model must include continuous monitoring of organizations’ vendor and supply chain ecosystem in addition to its own internal continuous diagnostic monitoring. While it is infeasible for every organization to access internal continuous monitoring and data logs of all of its vendors, security ratings platforms at least provide sufficient visibility and data to make informed decisions and work with vendors and suppliers on an ongoing basis.
Conclusion
Learning from recent data breaches, zero-day exploits, cyber espionage campaigns, and Ransomware attacks has moved the Federal government toward a new cyber defense posture, but the government alone cannot completely defend our nation’s cyber ecosystem. The help of the private sector is critical to our nation’s cybersecurity. SecurityScorecard encourages every critical infrastructure owner and operator to leverage free services and tools, like SecurityScorecard’s, to improve cybersecurity by taking the democratized, integrated, collaborative approach that is needed.
For more information go to https://securityscorecard.com/free-security-ratings.