Deep-rooted concerns with the information and communications technology (ICT) supply chain, especially after the SolarWinds software supply chain breach, left government agencies and contractors vulnerable to foreign nation-state infiltration. In order to prevent future widespread attacks, the president’s National Infrastructure Advisory Council (NIAC) suggests agencies need to focus on information-sharing and basic cyber hygiene.
“The vulnerability of our critical infrastructure has been evident,” said Caitlin Durkovich, senior director for resilience and response at the president's National Security Council, at a NIAC quarterly meeting last week. “Everything from a cyberattack against the Florida water system to the extreme weather that impacted multiple states disrupting the power supply of Texas and other states. ... We need to work with the owners and operators of critical infrastructure. We need…to be more resilient.”
NIAC is an executive council of 30 senior volunteers who examine infrastructure and security resilience issues. The council recommends actions directly to the U.S. president for securing national infrastructure.
As federal agencies and private companies digitize and become more interdependent and interconnected via technology and the internet, Durkovich worries about the new crop of vulnerabilities that come with the convenience of an increasingly interconnected IT ecosystem.
“This comes as we also yesterday saw the release of the quadrennial report card from the American Civil Society of Engineers,” she said during the meeting. “The society rated critical infrastructure a C-minus, which is a little bit of an improvement over the last one (which was a D-plus), but shows all the important work we have to do around our infrastructure. We can't look at our infrastructure as 16 separate sectors.”
During the meeting’s special panel on the ICT supply chain, representatives from the Cybersecurity and Infrastructure Security Agency (CISA), the Cyber Threat Alliance and AIG (a member of NIAC) discussed how public and private sectors can work together to improve and enhance ICT supply chain security.
“We've seen supply chain risk management (SCRM) is no longer a single discipline separate from risk management discussion; it's integration at every single level,” said Chris Butera, senior technical director for CISA’s cybersecurity division.
The SolarWinds hack, he argued, reinforced this point.
“The biggest vulnerabilities in the software supply chain are developed through malicious intent or unintentionally through poor security practices,” Butera said during the panel. Examples include counterfeits, unauthorized production and tampering. “The software supply chain is just one aspect of an approach we want everyone to take with cybersecurity, which is just general cyber hygiene and getting critical patches deployed quickly.”
Michael Daniel, CEO of the Cyber Threat Alliance, said information-sharing and basic cyber hygiene sound like perfunctory ways to stop another major cyberattack, but are actually crucial.
“On the public sector side, we have to increase the ability of our network defenders to share and correlate information,” he said during the NIAC panel. “Inside the private network, you've got to have companies doing those basics. How did we catch this whole [SolarWinds] thing? It's because FireEye had multi-factor authentication in place and followed up on an anomaly.”
Rich Baish, CISO of AIG, said government contractors must step up in the cybersecurity space.
“The government does have a role, but its role is not the first line of defense against bad cyber actors,” he said.
Baish, who helped put together CISA's TIC program, thinks adherence to TIC best practices can make a huge difference in cyber posture.
“Say TIC had been in existence for two years already, and I think there could have been some opportunity to understand systemically risks across infrastructure as they relate to supply chain risk,” Baish said. “We could have potentially established an understanding of the supply chain risk to the critical infrastructure, maybe some additional monitoring in place, that may have tipped the scale.”
Butera emphasized information-sharing with CISA, as well as zero trust as an important cyber hygiene technique for securing networks.
"Sharing information with CISA, we take the constraints any organization gives us on how to share that information, we always anonymize information, and the intent is to put it out as broadly as possible to make sure people are securing their networks," he said.