The high-profile breaches of SolarWinds and Microsoft Exchange Server in recent months has cast a pall on the confidence of multiple industries, putting current security countermeasures under heavy scrutiny. The private security provision and resource market has understandably been pushed into overdrive. Nevertheless, addressing the open-ended issue using indiscriminate analysis and enforceable legislative action is a responsibility that will inevitably land in the lap of federal agencies in the U.S. and worldwide.
In the U.S. Senate, the reaction has taken shape as the National Risk Management Act. If passed, The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) would be tasked with conducting an ongoing risk assessment for the protection of infrastructures in a wide variety of vulnerable sectors. CISA would collaborate with the executive branch in drafting an official report of these findings every 5 years.
CISA has already designed an online resource hub called Defending Against Software Supply Chain Attacks. This contains information pertinent to all agencies involved in a given supply chain, from customers to software vendors. It outlines the known liabilities of certain programs that might increase chance of infiltration and aggregates existing hotfixes and/or workarounds. Also among the guidelines are ease-of-use tips for applying the National Institute of Standards and Technology’s Cyber Supply Chain Risk Management and Secure Software Development frameworks.
The fact that these hacking campaigns rely on the element of surprise is a harbinger for future scaled-up attempts. Malicious actors are bound to punch up at government institutions and financial systems if the trend of accelerated ambitions set by the SolarWinds break-in stays true. Linda A. Lacewell, Superintendent of the New York State Department of Financial Services, said, “This incident confirms that the next great financial crisis could come from a cyber attack. Seeing hackers get access to thousands of organizations in one stroke underscores that cyber attacks threaten not just individual companies but also the stability of the financial industry as a whole.”
The facilitation of accurate risk assessment is the crux of solving this problem for private and public targets. Network defenders often have their hands tied early in the mitigation process, as the most effective defense strategies entail enacting immediate change for all parts of a software supply chain. Top-down control of affected systems is rarified air; governments can flex this power through mandates and reach a level of transparency that might shed new light on the strategy of curtailing threats for other sectors.
The DHS has laid out a series of “sprints” in 2-month deployments, effectively performing diagnostic stress tests on programming in different industries plagued by ransomware. Going forward, efficient risk assessment for hacking attempts will feature an amalgamation of private industry-led guidance and government-backed regulation.