What comes after a breach? Detection, containment, mitigation, and most importantly – information-sharing.
Like any major event, the recent whirlwind of cybersecurity activity will drive an influx of new solutions, all purporting to solve the problem – the SolarWinds breach as one example.
There is no easy button or silver bullet to solving cybersecurity issues, particularly not one of this nature. It will take time and requires new levels of cooperation between the public and private sectors to defend against threats and work towards a solution.
For instance, the Government Accountability Office made “over 3,000 recommendations to federal agencies to address cybersecurity shortcomings – and reported about 600 that had not been fully implemented as of early September 2020.” Of these nearly 600 recommendations, GAO designated 75 as a priority, including shoring up the government’s “supply chain risk management task force” through public/private partnerships.
In comparison to governments worldwide, the United States has the most advanced supply chain controls in many areas – but not when it comes to IT.
What’s Next: True Partnership
As defenders of IT networks, we have to be right 100% of the time to truly protect data. Hackers get unlimited tries, and only have to be right once. The odds are not in our favor. The reality is, if you’re the target of a nation state, adversaries are getting into your network. Cyber warfare has gone on for decades, and nations are skilled.
So what do we do to defend against potential threats and work towards a solution?
Private and public sector organizations need to:
- Work together to detect, contain, and mitigate against potential threats, and share information as quickly as possible.
- Know what tools and tactics hackers are using against government agencies.
- Consider what happens during and after an attack; what that scoping, containment and mitigation strategy looks like; and what tooling is in place to deal with it.
We’ve made good strides over the past decade as a community, and legislation has driven this collaboration, such as the Cybersecurity Information Sharing Act of 2015, Privacy and Civil Liberties Guidelines, and Cyber Information Sharing and Collaboration Program. Federal agencies and private vendors are obligated to share information on cyber risks and vulnerabilities. If either group finds evidence of nation state activity, they’re required to disclose it.
To maintain the integrity of the federal supply chain, we need to make sure attacks like the SolarWinds breach never happen again. To do this successfully, we have to better protect critical information and create a mechanism by which federal agencies and private vendors can provide irrefutable attestation as to the protections they have in place. There are not good standards/practices for automating the audit and attestation process, nearly all of which today rely on manual “take my word” methods. The federal government can request specific information about a vendor’s entire IT enterprise – but agencies often rely on vendors to provide them with safe/secure solutions.
Today, there’s no easy way to provide evidence that vendors are running a tight ship – and legal wrangling is hard. But federal agencies and vendors are at least starting to talk about how to solve this problem through modern means. If we’re successful it’s because of this burgeoning cooperation.
Cyber threats are growing and will continue to grow and the new reality in which we observe a majority distributed workforce will only amplify the problem. With this heightened risk, it is critical to set aside traditional risk assessments and protections and start looking at risk pragmatically. Let’s set down the metaphorical clipboards and pencils and do what we’ve always done best as a country; let’s solve a very difficult, existential problem by combining the collective ingenuity of our public and private sectors.
Our citizen taxpayers need us to join forces, fast, so we can work to prevent foreign attacks from taking place within our government. By working together with a holistic risk management approach, we can save time and money, and align resources while working to protect personal and government sensitive data. It’s not about what’s best for business or for one particular agency’s mission. It’s about what’s best for our friends, our neighbors, each and every one of us who rely on one another and for whom we, as government and technology leaders, have an obligation to protect.
Egon Rinderer is Global VP of Technology & Federal CTO at Tanium.