Hospitals, water treatment plants, fuel pipelines, email platforms – hackers have targeted these and other critical pieces of modern infrastructure over the last year, threatening our societies’ economic health and security. Business and government need to adopt a wartime mentality to counter this growing and pervasive menace, according to cyber experts convened by Billington CyberSecurity and the Oliver Wyman Forum.
“We have to scale our nation’s effort, both public and private, to an order of magnitude higher,” says Greg Rattray, co-founder of cybersecurity advisory firm Next Peak and a senior advisor to Oliver Wyman. “This is a national security challenge. It is not a future threat.”
This new cybersecurity campaign will be expensive and success won’t come quickly or easily. Small and medium-sized companies will face particular challenges because most lack resources and expertise relative to larger enterprises. Because everyone is at risk, everyone will need to play their part. The public and private sectors need to collaborate like never before because they rely on the same digital supply chains across software services, infrastructure, and suppliers, and are subject to common threats.
Start With a Broad Perspective of the Threat
Organizations need to take an expansive view of where the risks lie in today’s digital economy, says Rattray. Those areas range from cloud-based apps and software services that corporations and governments increasingly depend upon to the data flows that power artificial intelligence engines, he says.
Risk also extends to areas we often don’t think of as being on the front lines of cyber. The recent semiconductor shortage that forced many global automakers to slow production underscores how dependent the economy is on technology and software, says Greg Touhill, the former US chief information security officer who heads the CERT division of Carnegie Mellon University’s Software Engineering Institute. “Every aspect of society and life is touched by an expansive digital ecosystem,” he explains.
The Biden administration’s recent Executive Order on improving US cybersecurity provides a good blueprint for responding to today’s growing threat, experts say. It focuses on several important principles that can foster safer development and operating practices, and it promises to use the government’s vast buying power to drive change across the industry.
“Almost every big company in the space does some business with the federal government,” says Bob Kolasky, head of the Cybersecurity & Infrastructure Security Agency’s National Risk Management Center. This structural feature will encourage and drive private companies to adopt the government’s new security standards, he adds.
Three Key Planks of the New US Approach
Although many issues about the order’s implementation have yet to be resolved, experts say three elements stand out for their potential impact: adopting a zero-trust architecture for software development; requiring a software bill of materials for products that details all their components; and the creation of a Cyber Security Review Board to investigate incidents and propose remedial steps.
A zero-trust approach limits access to the bare minimum of computer systems, software applications, or data a person needs to fulfil their role and responsibilities. This construct aims to limit the potential for damage from any breach or malicious activity and make it easier to identify and tackle a flaw when an incident occurs. Touhill likens this kind of micro-segmentation to pixels in a television screen: You can lose one pixel and still get the picture.
A software bill of materials also can help build trust in digital supply chains and enable companies to better understand their risk exposure and get to the heart of a problem faster in case of an incident. Yet turning this good idea into an effective rule will be a challenge. Complex software can contain millions of lines of code, some of which are iterations of years’ old coding. Touhill described one project in which investigators traced a problem to a Linux flaw that was 17 years old.
A Cyber Safety Review Board has the potential to dramatically improve the safety of software products just as the US National Transportation Safety Board and similar bodies did in aviation. The key to making this work will be developing a comparable level of transparency. Such an ambition will be demanding, especially at a time when most companies decline or are extremely reluctant to disclose notable incidents such as ransomware attacks.
Any new board should focus on finding the root causes of incidents and disseminating the lessons learned rather than looking to apportion blame. “We as a country need to learn from incidents that have national security implications and share information to make sure it doesn’t happen again,” says Kolasky. While the government can oblige direct contractors to cooperate in such investigations, the private sector may have to be more creative, enlisting suppliers as partners in the drive for greater security, says Rattray.
Cybersecurity Demands an Inclusive Approach and Resiliency
These cybersecurity initiatives will demand a lot of time, money, and expertise. Large, systemically important organizations can probably muster the necessary resources, but the vast majority of companies, particularly small and medium-sized ones, will struggle at best, the experts say. That’s a big gap that policymakers and business leaders will need to plug.
Both sides also need to realize that absolute security is an unattainable goal. Companies need to focus their cyber efforts on securing the most-critical systems and business processes while enhancing their resilience to cope with whatever threats break through.
“We can’t protect against every single thing imaginable,” says Rattray. “You need to be able to be prepared to effectively respond and rapidly recover from bad events.”