Federal cyber leaders are drilling down on IT supply chain security, signaling a major new trend in federal cybersecurity following the December 2020 SolarWinds hack.
Concepts like zero trust and IT supply chain security will be among some of the next biggest buzzwords, said Customs and Border Protection CISO Alma Cole during the RSA Conference this month.
In a keynote address, Deputy National Security Advisor for Cyber Anne Neuberger highlighted software as a key risk area for federal agencies as they move IT operations to the cloud.
“Following the SolarWinds incident response, we were confronted by the hard truth that some of the most basic cybersecurity measures weren't rolled out across federal agencies,” she said. “We’ve taken immediate action to roll these out, but we have much more to do, starting with the software we buy.”
Neuberger also called for greater transparency in the software supply chain, which requires cooperation from private-sector software vendors and supports President Joe Biden’s recent cyber executive order.
“We don't have visibility into what's developed securely and what's not,” she said. “In order to make the market put money on this issue, we need to integrate that visibility into the security of our software. Visibility engenders trust. Many of the systems that run our critical infrastructure, that deliver the gas that heats your homes and electricity that lights schools, were built before anyone had even heard of the internet. Most of this infrastructure is in private-sector hands.”
Some federal cyber leaders offered practical advice and actionable steps for federal agencies to beef up their IT supply chain security and overall cyber posture.
Alyssa Feola, a cyber advisor with the General Services Administration, recommended a seven-step approach to supply chain risk management:
- Apply CSCRM practices at each governance layer
- Figure out what is critical and disposable
- Evaluate what you're buying and keep track of it after it is bought
- Consider the threats and tradeoffs
- Have a path to communicate throughout the organization
- Implement countermeasures
- Share information
Feola said the third step (evaluate and tracking what you're buying) is often overlooked by federal agencies, especially in the midst of cloud migration when it’s easy to buy too many add-on tools and features, leading to technology bloat.
“You need to know what you're doing and how critical it is,” Feola said. “Keep track of [technology] after you've bought it. Things change — shadow IT does exist. You want to be able to respond and react very quickly when a supply chain threat is in play. If you don't know what you've bought and aren't able to keep track of it, it's going to be extra hard. You don't want to have to be scrambling at this time.”
Allan Friedman, director of cybersecurity initiatives at the NTIA, echoed Nueberger’s and Feola’s comments regarding visibility and information-sharing. Transparent supply chains should be a basic fact of cybersecurity, he said.
“It won't solve everything,” he added, “but it's going to serve as the foundation for a wide range of risk-based decisions. The hard work should be in finding new vulnerabilities, that's what great security researchers and hackers do. The easy part should be figuring out whether or not it affects our products. We want to document known unknowns.”
Friedman wants federal agencies to adopt a software bill of materials, or SBOM, to keep track of everything in their supply chain and how it could affect their security posture. An SBOM should also be easily accessible and shareable with relevant agencies and organizations, like CISA.
CBP is one federal agency leading the way with best supply chain risk management practices. Cole said its success is due partly to the nature of the agency: CBP agents often need data easily accessible while out in the field, which means security and resiliency must be baked in from the start.
“When it comes to having an overall risk registry built up, we take feeds and inputs from all over our cybersecurity program,” Cole said during the conference. “We have a very active cyber intelligence program now, CISA obviously is a huge huge partner for us in feeding us a lot of high-quality intel info.”
One key strategy is identifying high value assets and your overall risk tolerance. Not all data needs the same level of protection. Supply chains extending deep into the private sector pose serious risks, Cole added, because they aren’t very visible.
“We're looking at a lot of challenges for how we measure risk with all these organizations we're doing business with,” Cole said. “We still see direct attacks, but I think a lot of the attacks have shifted to people we do business with because I think that's often a softer target. Now we have this big concern about how do we raise everyone else up to a higher standard and how do we validate they're properly mitigating their cyber risk before doing business with them in some instances? Certainly whether or not they have cyber insurance could be part of that risk. DHS is very interested in [CMMC] overall, we've already had some discussions with DOD and how we could potentially adopt that into our contracts. We're obviously not there today, but it's something I could see [happening] very soon.”
Federal agencies can start by polishing up basic cybersecurity practices, sharing information about known vulnerabilities and incidents with CISA, and keeping accurate inventory of their software tools.
As Friedman put it, “SBOMs, not f-bombs. We’ll build a movement.”