Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/19/2021
10:00 AM
Kurt John
Kurt John
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

SolarWinds: A Catalyst for Change & a Cry for Collaboration

Cybersecurity is more than technology or safeguards like zero trust; mostly, it's about collaboration.

The Sunburst campaign, which includes the SolarWinds incident, is not unique in its type or frequency. Supply-chain attacks have been happening more frequently over the past seven or so years. As adversaries continue to rapidly identify vulnerabilities, coupled with the world's increased reliance on digital connectivity, we face mounting challenges in preventing, detecting, and responding to sophisticated attacks.

Ultimately, threat actors have realized that their activities require low capital investment and yield high returns. So, we must continue to navigate these challenges because these attacks are not the Achilles' heel of digitalization. Instead, they are a symptom of the exponential growth, innovation, and democratization of technology throughout our lives, including in critical infrastructure. We simply need a call to action for change and collaboration.

Related Content:

Rethinking Cyberattack Response: Prevention & Preparedness

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: 9 Modern-Day Best Practices for Log Management

There are many aspects of technology that will shape our future, but near the top will be the supply chain and our dependence on wider technology ecosystems. This indicates a need to strengthen trust relationships with suppliers and other technology partners. The Sunburst campaign strikes at the very heart of these trust-based relationships. And while not unique, Sunburst remains the most widely covered software supply chain attack that we have ever seen and experienced as a society. As the facts continue to emerge, it is becoming increasingly clear just how disjointed our information network has become in the United States. Sunburst has helped reveal the gaps in that flow.

We will certainly see more cyberattacks across our technology ecosystem. However, given the attention to Sunburst, we have a unique and potent opportunity right now to improve our cybersecurity posture. When it comes to threat actors, we need to be more intentional about identifying, structuring, and leveraging the critical information related to these threats located in various sectors throughout the US technology ecosystem.

Recently, the Atlantic Council's Cyber Statecraft Initiative, where I have participated and contributed to multiple products, released its full report on SolarWinds, titled "Broken Trust: Lessons From Sunburst." The report outlines three overarching lessons learned from this attack. The first is that we have seen compromised software supply chains before; what made Sunburst a larger issue is the role of cloud computing as a target. Second, we could have done more to protect and prioritize federal systems. And finally, the lesson that I found to be the most salient: "Sunburst was a failure of strategy."

So, what exactly does that mean? It means cybersecurity is about more than just deploying technology. It's about more than just taking action with safeguards like zero trust, which requires the continual verification of users in a system. Cybersecurity is mostly about collaboration.

That is why I am happy to see Congress engaging on this topic. The federal government is well-positioned to help define a strategy for our technology ecosystem and foster collaboration across various sectors. The government can help create a safe and secure continuum of information flow that spans R&D at educational, private, and nongovernmental organizations, as well as the practical knowledge and application found within the private sector. All could fit within a progressive governance framework that is robust enough to define clear guardrails and purpose, but flexible enough to accommodate the nuances of drastically different sectors operating within it. On top of this framework should be a well-articulated national digitalization strategy, which includes cybersecurity as its core principle.

This is particularly critical as the federal government pivots to digitalize vast swaths of its infrastructure in the coming years. Digitalization and cybersecurity are two sides of the same coin. With continued digitalization, this risk will just increase. We can't allow this risk to hold us back; cybersecurity is challenging, not paralyzing.

Additionally, we can no longer solely depend on data and technology to guard against hackers trying to break into networks. There's another critical industrywide issue at play here: the talent gap. Cybersecurity positions are growing three times faster than other IT positions, according to a 2019 report from Burning Glass Technologies, an analytics software company providing real-time data on job growth and skills in demand. Additionally, the 2020 (ISC)² "Cybersecurity Workforce Study" estimates that there are roughly 3.1 million unfilled cybersecurity jobs worldwide. It's crucial to radically recruit and train talented professionals, redefining what it means to be qualified so that more people can help us drive our digital journey into the future.

Finally, and most importantly, ownership will hold all this together. We all must accept extreme ownership of cybersecurity so that, together, we are stronger. Industry must be an active partner in driving needed changes, as both public and private stakeholders focus on a model of operational collaboration rather than simply sharing information. Only then will we be able to execute a sustainable cybersecurity strategy that allows us to build trust and secure our nation's critical infrastructure over time.

The response to this public attack should lead to meaningful action that moves us forward. By empowering key leaders and organizations to make changes to improve America's cyber posture, as the Biden administration has done so far, we can meet the challenge of this moment.

Kurt John is the Chief Cybersecurity Officer of Siemens USA, where he is responsible for the Cybersecurity strategy, governance and implementation for the company's largest market -- ~$23B in annual revenues. In this role, Kurt oversees the coordination of cybersecurity for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.
CVE-2020-24119
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
CVE-2020-27833
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...