At a glance.
- Policy and strategy lessons from Solorigate.
- GAO finds the US Defense Department has difficulty integrating cybersecurity into acquisition programs.
- NSA honors former NCSC chief Ciaran Martin.
Policy lessons from the SolarWinds compromise.
The Aspen Institute has published a set of recommendations from well-known experts on ways in which policymakers might learn from the SolarWinds supply chain compromise and related cyber incidents. The Institute's introductory summary of the campaign is a useful distillation of where consensus about the incident stands at present:
- "The perpetrators almost certainly acted on behalf of the Russian government, who can claim a tremendous intelligence success against the United States."
- "By exploiting security vulnerabilities in popular software used in government and industry, attackers created the opportunity to devastate thousands of organizations."
- "While software sold by a company called SolarWinds was the initial focus of efforts to learn the true scope and scale of the attack, we now know that the attackers also leveraged other vectors in the software supply chain to compromise private networks."
- "It appears that the attackers only stole data. No publicly available evidence suggests that computing systems or data were destroyed, manipulated, or disrupted."
Communicating clear cybersecurity guidelines for weapon systems,
In its Weapon Systems Security Report, released yesterday, the U.S. Government Accountability Office (GAO) said the Department of Defense has had difficulty communicating cybersecurity guidelines to those involved in developing weapon systems. In particular, the GAO thinks the Pentagon needs to do a better job of specifying cybersecurity requirements in its acquisition system: "DOD must communicate its cybersecurity requirements in its acquisition program contracts, just as it would with other types of performance requirements. If the government does not include certain specifications in a contract, it runs the risk that modifications will be needed after award that necessitate the negotiation of an equitable adjustment to provide the contractor with additional time and compensation. DOD guidance says simply, “if it is not in the contract, do not expect to get it.”
Chris Grove, technology evangelist with Nozomi Networks, points out that the problem isn't confined to Defense acquisition:
“The problem goes far beyond just the DoD weapon systems. In many cases, the government’s cybersecurity requirements aren’t provided upfront, leaving many organizations having to face fines and other consequences later in the contracting process.
"If the cybersecurity requirements were clear and easy to navigate for companies looking to do business with the government, more investment could be made in the private sector to accommodate the vast number of potential regulations a product might need to adhere to. Adding additional cost and complexity for products sold into the government without a compensating cost reduction measure, like streamlining the regulatory processes, or providing the requirements upfront, will drive up everyone’s costs without actually improving our security posture.
"The CMMC was an excellent step in the right direction, I anticipate this report will add some tailwind to those efforts. In the end, we need cyber-resiliency to be the baseline, not the end goal.”
NSA honors former NCSC director.
The US National Security Agency has honored one of its international partners. Ciaran Martin, CB, the founding Chief Executive of Britain's National Cyber Security Centre (NCSC), has been awarded the Gold Foreign Partnership Medallion from the National Security Agency (NSA), on behalf of the United States Government. Martin, who retired from NCSC last year, is now a Paladin Capital Group Managing Director and Professor of Practice in Public Management at the University of Oxford’s Blavatnik School of Government.