Most recently, an attack against Microsoft’s Exchange email servers in January exposed a mix of more than 30,000 public- and private-sector customers. Just a month before, SolarWinds and some 18,000 of its customers suffered a similar fate.
What the SolarWinds incident did to bring attention to the issue of supply chain security, the Microsoft incident magnified. But what, if anything, can government do to protect itself from threats concealed within proprietary software?
According to Maria Thompson, North Carolina's chief risk officer, there are two key things that governments need to do. The first is to identify that it is a problem, and the second is to analyze the government contracts currently in place with vendors to establish more strict controls. This effort means increasing transparency between governments and vendors in terms of reporting cyber incidents, in addition to establishing a plan of action should a vendor fail to comply.
“Greater transparency is needed across the board,” emphasized Thompson.
With transparency comes a great need for information sharing, particularly between vendors and their customers. With the recent cyber attacks, many customers were not immediately made aware of the breaches.
“I can tell you that a lot of state entities and local government entities, we’re quickly losing our trust in some of these solutions that we have because, you know, we find out after the fact — months after a data breach has occurred,” Thompson said.
This forces governments into reactionary mode, spending money and resources to remediate issues when their focus should be on operational activities. Ideally, though, governments could adopt a streamlined mechanism for more open sharing of information between governments and vendors.
Dan Stroman, senior director of public sector at CloudCheckr, explained that some government entities are shifting their systems to the cloud, as on-premises software leaves vulnerabilities, noting the SolarWinds incident. His belief is that cloud platform providers are taking the proper steps to show customers that this is a secure option.
“The cloud platform providers have made a huge investment in assuring the constituency, their customers, that they’ve got security really well covered,” said Stroman. “They have a lot of due diligence that they’re able to show.”
There are other steps that can be taken from a policy standpoint. For example, North Carolina has adopted supply chain security controls as part of the NIST 800-53 Rev 5 controls, and many other states are involved in similar discussions to improve visibility and controls. However, these risks are not something that state governments are able to handle alone and will require a coordinated effort between federal, state, and local governments working with the private sector. Pressure is also mounting for the federal government to implement a plan to help guide smaller government entities through these situations.
“It really takes a concerted effort at their level because we cannot do it at the state level by ourselves,” Thompson explained. “I think that’s the key thing … it has to go further up the chain for true change to occur when it comes to supply chain risk.”
A draft spending plan by the Cybersecurity and Infrastructure Security Agency looks to allocate more than $150 million in federal funding to Microsoft for cybersecurity in response to the recent hack, reported Reuters. Some government officials, including Oregon Sen. Ron Wyden, have expressed concerns about this move, stating that if this is the only solution, the government needs to re-evaluate its dependence on Microsoft.
The private sector can, and must, have a hand in enacting a plan of action in the case of another cyber attack, but it must be a coordinated effort with the public sector as well.
“The main thing that I would like to say about this attack is that I envision that more of these attacks will occur in the future,” stated Thompson regarding the Microsoft hack. “I think that it’s going to take a partnership between private and public entities to really figure out what’s the best approach in how to mitigate the supply chain risk. And we have to do it as a team effort; it’s not done in a vacuum.”