Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/19/2021
10:00 AM
Kurt John
Kurt John
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

SolarWinds: A Catalyst for Change & a Cry for Collaboration

Cybersecurity is more than technology or safeguards like zero trust; mostly, it's about collaboration.

The Sunburst campaign, which includes the SolarWinds incident, is not unique in its type or frequency. Supply-chain attacks have been happening more frequently over the past seven or so years. As adversaries continue to rapidly identify vulnerabilities, coupled with the world's increased reliance on digital connectivity, we face mounting challenges in preventing, detecting, and responding to sophisticated attacks.

Ultimately, threat actors have realized that their activities require low capital investment and yield high returns. So, we must continue to navigate these challenges because these attacks are not the Achilles' heel of digitalization. Instead, they are a symptom of the exponential growth, innovation, and democratization of technology throughout our lives, including in critical infrastructure. We simply need a call to action for change and collaboration.

Related Content:

Rethinking Cyberattack Response: Prevention & Preparedness

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

There are many aspects of technology that will shape our future, but near the top will be the supply chain and our dependence on wider technology ecosystems. This indicates a need to strengthen trust relationships with suppliers and other technology partners. The Sunburst campaign strikes at the very heart of these trust-based relationships. And while not unique, Sunburst remains the most widely covered software supply chain attack that we have ever seen and experienced as a society. As the facts continue to emerge, it is becoming increasingly clear just how disjointed our information network has become in the United States. Sunburst has helped reveal the gaps in that flow.

We will certainly see more cyberattacks across our technology ecosystem. However, given the attention to Sunburst, we have a unique and potent opportunity right now to improve our cybersecurity posture. When it comes to threat actors, we need to be more intentional about identifying, structuring, and leveraging the critical information related to these threats located in various sectors throughout the US technology ecosystem.

Recently, the Atlantic Council's Cyber Statecraft Initiative, where I have participated and contributed to multiple products, released its full report on SolarWinds, titled "Broken Trust: Lessons From Sunburst." The report outlines three overarching lessons learned from this attack. The first is that we have seen compromised software supply chains before; what made Sunburst a larger issue is the role of cloud computing as a target. Second, we could have done more to protect and prioritize federal systems. And finally, the lesson that I found to be the most salient: "Sunburst was a failure of strategy."

So, what exactly does that mean? It means cybersecurity is about more than just deploying technology. It's about more than just taking action with safeguards like zero trust, which requires the continual verification of users in a system. Cybersecurity is mostly about collaboration.

That is why I am happy to see Congress engaging on this topic. The federal government is well-positioned to help define a strategy for our technology ecosystem and foster collaboration across various sectors. The government can help create a safe and secure continuum of information flow that spans R&D at educational, private, and nongovernmental organizations, as well as the practical knowledge and application found within the private sector. All could fit within a progressive governance framework that is robust enough to define clear guardrails and purpose, but flexible enough to accommodate the nuances of drastically different sectors operating within it. On top of this framework should be a well-articulated national digitalization strategy, which includes cybersecurity as its core principle.

This is particularly critical as the federal government pivots to digitalize vast swaths of its infrastructure in the coming years. Digitalization and cybersecurity are two sides of the same coin. With continued digitalization, this risk will just increase. We can't allow this risk to hold us back; cybersecurity is challenging, not paralyzing.

Additionally, we can no longer solely depend on data and technology to guard against hackers trying to break into networks. There's another critical industrywide issue at play here: the talent gap. Cybersecurity positions are growing three times faster than other IT positions, according to a 2019 report from Burning Glass Technologies, an analytics software company providing real-time data on job growth and skills in demand. Additionally, the 2020 (ISC)² "Cybersecurity Workforce Study" estimates that there are roughly 3.1 million unfilled cybersecurity jobs worldwide. It's crucial to radically recruit and train talented professionals, redefining what it means to be qualified so that more people can help us drive our digital journey into the future.

Finally, and most importantly, ownership will hold all this together. We all must accept extreme ownership of cybersecurity so that, together, we are stronger. Industry must be an active partner in driving needed changes, as both public and private stakeholders focus on a model of operational collaboration rather than simply sharing information. Only then will we be able to execute a sustainable cybersecurity strategy that allows us to build trust and secure our nation's critical infrastructure over time.

The response to this public attack should lead to meaningful action that moves us forward. By empowering key leaders and organizations to make changes to improve America's cyber posture, as the Biden administration has done so far, we can meet the challenge of this moment.

Kurt John is the Chief Cybersecurity Officer of Siemens USA, where he is responsible for the Cybersecurity strategy, governance and implementation for the company's largest market -- ~$23B in annual revenues. In this role, Kurt oversees the coordination of cybersecurity for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33988
PUBLISHED: 2021-10-19
Cross Site Scripting (XSS). vulnerability exists in Microweber CMS 1.2.7 via the Login form, which could let a malicious user execute Javascript by Inserting code in the request form.
CVE-2020-12141
PUBLISHED: 2021-10-19
An out-of-bounds read in the SNMP stack in Contiki-NG 4.4 and earlier allows an attacker to cause a denial of service and potentially disclose information via crafted SNMP packets to snmp_ber_decode_string_len_buffer in os/net/app-layer/snmp/snmp-ber.c.
CVE-2021-29912
PUBLISHED: 2021-10-19
IBM Security Risk Manager on CP4S 1.7.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 207828.
CVE-2021-38911
PUBLISHED: 2021-10-19
IBM Security Risk Manager on CP4S 1.7.0.0 stores user credentials in plain clear text which can be read by a an authenticatedl privileged user. IBM X-Force ID: 209940.
CVE-2021-3746
PUBLISHED: 2021-10-19
A flaw was found in the libtpms code that may cause access beyond the boundary of internal buffers. The vulnerability is triggered by specially-crafted TPM2 command packets that then trigger the issue when the state of the TPM2's volatile state is written. The highest threat from this vulnerability ...