The SolarWinds hack of the software supply chain, which is considered the most significant and far-reaching cyber espionage operation targeting the U.S. government to date, has sparked an important conversation about a new risk-based approach to cybersecurity for federal agencies.
In fact, the Cybersecurity and Infrastructure Security Agency (CISA) has launched a new cybersecurity effort to develop actionable metrics and quantify cyber risk across the nation’s critical infrastructure sectors. The Systemic Cyber Risk Reduction Venture is being developed in partnership with the National Risk Management Center (NRMC) and will focus on the relationship between threat, vulnerability and consequence, with a particular emphasis on identifying and quantifying systemic and interconnected risks.
Importance of a Risk-Based Approach
The SolarWinds attack highlighted the urgent need for the federal government to move toward a risk-based, intelligence-driven approach to cybersecurity, instead of relying mostly on intrusion detection systems. For many organizations, the hack may have resulted in the first meeting between third-party risk managers and the chief information security officer (CISO). A risk-threat-response approach can help each agency better understand and plan for the risk scenarios that matter most to its specific situation – especially those that will have the greatest potential operational impacts.
The Rosetta Stone that translates the technical nature of security into the language of the business or agency is cyber risk quantification. By quantifying cyber risk, CISOs have the ability to translate cybersecurity into a language that non-technical agency leaders can understand and support from a policy and procedure perspective.
“I think it’s incredibly important to evolve the way that we talk about cybersecurity,” said Michael Daniel, a former White House cybersecurity policy advisor and the CEO of the Cyber Threat Alliance, in a recent interview with the ThreatConnect Podcast. “Cybersecurity is now a critical enabler for most businesses to continue operating. And it needs to be framed in that way. And I think that’s very much the place that we need to move is putting it in those business terms, framing it in those risk terms.”
Risk quantification can assist an entity in determining what these most critical risks are, so that leaders can tailor business and security operations to these priorities. This process can also help to refine financial and operational risk scenarios with real-world threat intelligence and the threat landscape simultaneously. Ultimately, this results in informed responses that are more focused and faster across the entire technology stack.
Quantifying Supply Chain Risk
When shifting to a risk-based approach, one of the major components to consider specifically is the risk and vulnerability associated with the supply chain. Organizations and companies are only as strong as their weakest links, which in some cases could be a partner or service provider somewhere in their group of suppliers. A 2020 report by Deloitte on third-party risk management found that a majority of organizations are underprepared to address all of the potential risks caused by third parties, whether due to a lack of capability or capacity.
Another major issue related to companies’ supply chains is the lack of oversight. In a recent interview, Robert Bigman, the former chief information security officer at the Central Intelligence Agency, said, “We have no rules, no regulations for companies to build secure supply chains. We have no rules and regulations that require them to build secure code, to test their code.”
Companies today must gain a complete understanding of their supply chains and the geographic spread of each individual entity in the chain to fully grasp the total landscape of potential vulnerabilities. Underinvestment in supply chain risk management, often coupled with a lack of in-house qualified cybersecurity expertise, can make companies increasingly vulnerable to threats.
One potential solution for mitigating supply chain risk is through the adoption of a Security Orchestration, Automation and Response (SOAR) platform, which can help to streamline and manage incident analysis and response procedures for a company. A SOAR platform can also break down silos across departments and ensure employees are collaborating and working together towards the common goal of mitigating potential risks against their organizations. The importance of maintaining an efficient method to manage workflow and reduce redundancy is even more significant considering that cyber threats are continuing to grow both in terms of the level of sophistication and sheer volume.
If there is any positive outcome from this incident, it is the response of the security community at large. Right away, we saw cooperation from cybersecurity companies, service providers and others in sharing information and responding to the attack. For example, Microsoft used the moment to call for increased collaboration among government and the technology sector for a more coordinated response, while FireEye committed to sharing details from its investigation. Moving forward, to better protect our nation’s infrastructure against the rising number of nation-state attacks, this type of collaboration and information-sharing is critical.
Shifting to the Front Foot
The SolarWinds attack is another stark reminder that we are living in an age of never-ceasing threats from sophisticated adversaries. It is vital that we do not let our guards down, no matter how quiet it seems or how long attackers appear dormant. Attackers often have extensive time and resources at their disposal, which means it is only a matter of how long it takes them to succeed, and not a question of whether they can succeed.
The threats will only become more sophisticated, multifaceted, and well-orchestrated. Organizations must do the same with their security postures by taking proactive steps and comprehensively managing third-party risk through their supply chains. The companies that shift today to a risk-based approach to cybersecurity will be among those that will remain trusted tomorrow.
Dan Verton is a former intelligence officer in the U.S. Marine Corps and has authored several books on cybersecurity. He is currently director of Content Marketing at ThreatConnect.